« previous next »
Pages: 1 [2] 3   Go Down

Author Topic: [Resolved] MY antivirus is being tampered with  (Read 2244 times)

0 Members and 1 Guest are viewing this topic.

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #15 on: August 01, 2012, 02:03:38 PM »
You've said from the beginning the problem is the Antivirus . I agree...and, you can see from continuing to surf while the antivirus product is defective, your situation has gone from bad to worse. Please do nothing else with the affected computer except what is directed here. No surfing, and don't open any emails except from SpywareHammer. If you need to download something, I will provide the link for you.

Please disconnect the affected system from the internet. Uninstall Symantec. Let me know when you finish. Thanks!
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #16 on: August 02, 2012, 06:01:52 AM »
Thanks, I have disconnected it from the internet.

I don't actually think that the antivirus has caused the problem, I think that the virus has affected some programmes from functioning properly (for example both adobe acrobat and the antivirus are not working properly). The antivirus still does scans (the only problem is with the live update function and the error message is not about license renewal but about failure to connect to the service) and is picking up hundreds of 'trojan' or 'trojan.gen' files which it is putting in quarantine.

Do you still think I must uninstall it?
Logged

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #17 on: August 02, 2012, 05:13:08 PM »
Yes. Afterwards, please download the DDS utility to some removable media. Use that to transfer it to the affected system. Run a fresh DDS scan and post back BOTH logs. Next, download RogueKiller to your removable media and transfer it to the desktop of the affected system.
  • Close all open programs
  • For Vista or Windows 7, right click -> run as administrator, for XP simply double-click RogueKiller.exe
  • Accept the agreement and the pre-scan begins. Please wait until it finishes, then click the Scan button.
  • When the scan completes, the RKreport.txt shall be generated and auto-saved to your desktop.
Note: If the program fails to run, don't hesitate to try several times. If several attempts still fail (it is possible), just rename it to winlogon.exe and try running it again.

Please post the contents of the RKreport.txt in your next reply (along with the above requested logs) and wait for further instructions...and please do nothing else with this tool until or unless directed.Thanks!
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #18 on: August 03, 2012, 03:48:07 AM »
Ok, will do. I am going away on holiday today for a week so will do this when I get back and post the logs then. Just so you know why there is a delay. Thanks for your help so far.
Logged

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #19 on: August 09, 2012, 01:49:24 PM »
Ok, I am back. I couldn't delete the Symantec because when I tried to uninstall it it gave me an error message - something about a command error. Reports are below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by GCH at 20:36:55 on 2012-08-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2940.2028 [GMT 1:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Activ Software\ActivDriver\activmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gch.org.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.gch.org.uk/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\gch\local settings\application data\gypswbvn\ofhfhbfb.exe"c:\documents and settings\gch\application data\xsecva\xsecva.exe" -s,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OfhFhbfb] c:\documents and settings\gch\local settings\application data\gypswbvn\ofhfhbfb.exe
uRun: [XSECVA] c:\documents and settings\gch\local settings\application data\gypswbvn\ofhfhbfb.exe"c:\documents and settings\gch\application data\xsecva\xsecva.exe" -s
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://www.reachrth4.com/vdesk/terminal/f5tunsrv.cab#version=7000,2010,611,2051
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\gch\locals~1\temp\ixp000.tmp\InstallerControl.cab#-1,-1,-1,-1
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://www.reachrth4.com/vdesk/terminal/urxhost.cab#version=7000,2010,611,2119
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gch\application data\mozilla\firefox\profiles\evopcicy.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2007-11-9 74752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-7-16 106656]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-7-14 5888]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120716.002\naveng.sys [2012-7-16 87928]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120716.002\navex15.sys [2012-7-16 1589752]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144]
S?1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\gch\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\gch\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\gch\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\gch\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 135664]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
.
=============== Created Last 30 ================
.
2012-08-01 16:39:11   --------   d-----w-   c:\program files\PC Tools
2012-08-01 16:35:15   203120   ----a-w-   c:\windows\system32\drivers\PCTSD.sys
2012-08-01 16:35:15   --------   d-----w-   c:\program files\common files\PC Tools
2012-08-01 16:34:26   --------   d-----w-   c:\documents and settings\gch\application data\TestApp
2012-08-01 14:00:44   --------   d-----w-   c:\documents and settings\gch\local settings\application data\Sun
2012-08-01 13:59:54   --------   d-----w-   c:\program files\Oracle
2012-08-01 13:59:47   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-07-30 17:30:29   --------   d-----w-   c:\documents and settings\gch\local settings\application data\Temp
2012-07-30 15:56:20   --------   d-----w-   c:\documents and settings\gch\local settings\application data\{2BF39ED1-D980-11E1-8270-B8AC6F996F26}
2012-07-29 16:46:04   476976   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-07-29 13:20:33   417792   ----a-w-   c:\documents and settings\gch\application data\mavbaz.dll
2012-07-29 13:19:35   133632   ----a-w-   c:\documents and settings\gch\application data\ocrog.dll
.
==================== Find3M  ====================
.
2012-08-09 19:36:25   48768   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2012-08-09 19:36:25   110952   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-07-05 21:06:20   687544   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-13 13:19:59   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-06-05 15:50:25   1372672   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-05 15:50:25   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-04 04:32:08   152576   ----a-w-   c:\windows\system32\schannel.dll
2012-06-02 14:19:44   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19:38   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19:38   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19:34   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19:30   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:18:58   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-06-02 14:18:58   214256   ----a-w-   c:\windows\system32\muweb.dll
2012-06-02 14:18:58   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09   599040   ----a-w-   c:\windows\system32\crypt32.dll
2012-05-16 15:08:26   916992   ----a-w-   c:\windows\system32\wininet.dll
.
============= FINISH: 20:37:54.60 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 24/02/2010 12:41:49
System Uptime: 09/08/2012 20:25:32 (0 hours ago)
.
Motherboard: TOSHIBA |  | Portable PC
Processor: Intel(R) Core(TM)2 Duo CPU     T5870  @ 2.00GHz | CPU | 1994/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 188.207 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_FF1E1179&REV_02\4&38F101EE&0&00E0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_FF1E1179&REV_02\4&38F101EE&0&00E0
Service: RTLE8023xp
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\33F4934380D1E
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\33F4934380D1E
Service: NIC1394
.
==== System Restore Points ===================
.
RP20: 14/12/2010 18:28:25 - Software Distribution Service 3.0
RP21: 16/12/2010 21:30:56 - Software Distribution Service 3.0
RP22: 18/12/2010 12:18:59 - Software Distribution Service 3.0
RP23: 30/12/2010 20:53:40 - Software Distribution Service 3.0
RP24: 01/01/2011 13:16:12 - Software Distribution Service 3.0
RP25: 04/01/2011 18:25:31 - Software Distribution Service 3.0
RP26: 05/01/2011 22:17:04 - Software Distribution Service 3.0
RP27: 09/01/2011 19:13:45 - Software Distribution Service 3.0
RP28: 12/01/2011 20:00:19 - Software Distribution Service 3.0
RP29: 12/01/2011 22:25:14 - Software Distribution Service 3.0
RP30: 14/01/2011 18:20:18 - Software Distribution Service 3.0
RP31: 18/01/2011 19:20:49 - Software Distribution Service 3.0
RP32: 20/01/2011 20:25:57 - System Checkpoint
RP33: 21/01/2011 16:08:11 - Software Distribution Service 3.0
RP34: 26/01/2011 19:34:30 - Software Distribution Service 3.0
RP35: 29/01/2011 12:16:53 - Software Distribution Service 3.0
RP36: 02/02/2011 18:13:16 - Software Distribution Service 3.0
RP37: 04/02/2011 17:50:51 - Software Distribution Service 3.0
RP38: 05/02/2011 17:54:11 - System Checkpoint
RP39: 07/02/2011 19:12:46 - System Checkpoint
RP40: 08/02/2011 21:17:23 - Software Distribution Service 3.0
RP41: 08/02/2011 22:46:12 - Software Distribution Service 3.0
RP42: 12/02/2011 11:19:08 - Software Distribution Service 3.0
RP43: 13/02/2011 12:11:25 - System Checkpoint
RP44: 14/02/2011 18:46:41 - System Checkpoint
RP45: 15/02/2011 18:54:20 - Software Distribution Service 3.0
RP46: 17/02/2011 19:29:49 - System Checkpoint
RP47: 21/02/2011 13:51:56 - Software Distribution Service 3.0
RP48: 21/02/2011 22:13:42 - Software Distribution Service 3.0
RP49: 22/02/2011 11:06:31 - Software Distribution Service 3.0
RP50: 23/02/2011 14:43:03 - System Checkpoint
RP51: 23/02/2011 18:04:23 - Software Distribution Service 3.0
RP52: 25/02/2011 12:35:50 - Software Distribution Service 3.0
RP53: 27/02/2011 04:03:33 - System Checkpoint
RP54: 27/02/2011 22:13:11 - Installed Adobe Reader X (10.0.1).
RP55: 01/03/2011 19:55:12 - Software Distribution Service 3.0
RP56: 04/03/2011 18:25:29 - Software Distribution Service 3.0
RP57: 06/03/2011 14:37:19 - System Checkpoint
RP58: 07/03/2011 19:34:57 - System Checkpoint
RP59: 09/03/2011 18:10:24 - Software Distribution Service 3.0
RP60: 09/03/2011 19:00:16 - Software Distribution Service 3.0
RP61: 12/03/2011 10:58:45 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
ActivDriver x86 v5.5
ActivInspire Help (GBR) v1
ActivInspire HWR Resources (ENU) v1
ActivInspire v1
Activstudio Docs (GBR) v3.6.1
Activstudio Help (GBR) v3.6.1
Activstudio Professional Edition v3.7
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.3)
Adobe Shockwave Player
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Client Utility
Atheros Driver Installation Program
BBC iPlayer Desktop
BIG-IP Edge Client Components (All Users)
Bluetooth Stack for Windows by Toshiba
Bonjour
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
ESET Online Scanner v3
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
InterVideo WinDVD for TOSHIBA
iTunes
Java Auto Updater
Java(TM) 7 Update 5
JavaFX 2.1.1
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 14.0.1 (x86 en-GB)
Mozilla Maintenance Service
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Presto! BizCard 5 SE (English Version)
Presto! BizCard Component for Windows CE
Presto! BizCard5 SE
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spotify
SpywareBlaster 4.4
Symantec AntiVirus
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Hotkey Utility
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Zooming Utility
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
09/08/2012 20:36:38, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 12 time(s).
09/08/2012 20:36:36, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 11 time(s).
09/08/2012 20:36:34, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 10 time(s).
09/08/2012 20:36:32, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 9 time(s).
09/08/2012 20:36:30, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 8 time(s).
09/08/2012 20:36:22, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 7 time(s).
09/08/2012 20:36:22, error: Service Control Manager [7034]  - The Symantec Event Manager service terminated unexpectedly.  It has done this 2 time(s).
09/08/2012 20:33:01, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the  service.
09/08/2012 20:32:31, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service.
09/08/2012 20:31:57, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 6 time(s).
09/08/2012 20:31:53, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 5 time(s).
09/08/2012 20:31:51, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 4 time(s).
09/08/2012 20:31:49, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 3 time(s).
09/08/2012 20:31:47, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 2 time(s).
09/08/2012 20:30:45, error: Service Control Manager [7034]  - The Symantec SPBBCSvc service terminated unexpectedly.  It has done this 1 time(s).
09/08/2012 20:30:45, error: Service Control Manager [7034]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 1 time(s).
09/08/2012 20:30:45, error: Service Control Manager [7034]  - The Symantec Event Manager service terminated unexpectedly.  It has done this 1 time(s).
09/08/2012 20:30:45, error: Service Control Manager [7034]  - The Symantec AntiVirus Definition Watcher service terminated unexpectedly.  It has done this 1 time(s).
09/08/2012 20:28:11, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  atapi PCIIde SASDIFSV SASKUTIL
09/08/2012 20:28:11, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
09/08/2012 20:24:36, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
09/08/2012 20:21:42, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
09/08/2012 20:21:38, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
09/08/2012 20:16:30, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD atapi eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT PCIIde RasAcd Rdbss SASDIFSV SASKUTIL SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
09/08/2012 20:16:30, error: Service Control Manager [7023]  - The System Restore Service service terminated with the following error:  Access is denied.
09/08/2012 20:16:30, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
09/08/2012 20:16:30, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
09/08/2012 20:16:30, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
09/08/2012 20:16:30, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
09/08/2012 20:16:30, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
09/08/2012 20:16:30, error: Service Control Manager [7001]  - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
09/08/2012 20:16:29, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
09/08/2012 20:15:12, error: SRService [104]  - The System Restore initialization process failed.
.
==== End Of File ===========================


RogueKiller V7.6.5 [08/03/2012]  by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: GCH [Admin rights]
Mode: Scan -- Date: 08/09/2012 20:41:44

¤¤¤ Bad processes: 5 ¤¤¤
[ZeroAccess] n -- c:\windows\system32\n -> UNLOADED
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] ActivFocusHook.dll -- C:\Documents and Settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll -> UNLOADED
[SUSP PATH] ActivFocusHook.dll -- C:\Documents and Settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll -> UNLOADED

¤¤¤ Registry Entries: 11 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : OfhFhbfb (C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : XSECVA (C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe"C:\Documents and Settings\GCH\Application Data\xsecva\xsecva.exe" -s) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2288143009-808737177-3545214167-1005[...]\Run : OfhFhbfb (C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2288143009-808737177-3545214167-1005[...]\Run : XSECVA (C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe"C:\Documents and Settings\GCH\Application Data\xsecva\xsecva.exe" -s) -> FOUND
[SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe"C:\Documents and Settings\GCH\Application Data\xsecva\xsecva.exe" -s,) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 :  (\\.\globalroot\systemroot\Installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n.) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\Documents and Settings\GCH\Local Settings\Application Data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n.) -> FOUND
[ZeroAccess] HKLM\[...]\InprocServer32 :  (\\.\globalroot\systemroot\Installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n.) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n --> FOUND
[ZeroAccess][FILE] @ : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\L --> FOUND
[ZeroAccess][FILE] n : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n --> FOUND
[ZeroAccess][FILE] @ : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A0EB1D0)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A0EB208)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A0E5EF8)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A0FA418)
SSDT[43] : NtCreateMutant @ 0x8061758E -> HOOKED (Unknown @ 0x8A0D2D80)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8A082F80)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x89289358)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8A0D2DB8)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8A0D2DF0)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x8A07BE78)
SSDT[114] : NtOpenEvent @ 0x8060EF4C -> HOOKED (Unknown @ 0x8A07CDF0)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x89289320)
SSDT[129] : NtOpenThreadToken @ 0x805EDF44 -> HOOKED (Unknown @ 0x89269230)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0x8A0B4160)
SSDT[206] : unknown @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A0FD388)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A083DF0)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A09E208)
SSDT[229] : NtSetInformationThread @ 0x805CC124 -> HOOKED (Unknown @ 0x8A083DB8)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8A07CDB8)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A0EB240)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8A0ED598)
SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x8A083D80)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A09E1D0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A0B1F38)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2555GSX +++++
--- User ---
[MBR] 2b466a8773943cb0afa881729127b676
[BSP] 98af99f82e405d54e5627304e2f675c4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 96621df59a565d5e057e0659da7ec48b
[BSP] 788470fe12ec57aabe933cfdd9c84885 : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 129 | Size: 1907 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



Logged

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #20 on: August 09, 2012, 03:45:02 PM »
Thanks. Please return to the RogueKiller utility...if you closed it, just open it again and click the scan button as before. Locate and click the Delete button. Allow the system to reboot if prompted.

When the system comes back up, please run RogueKiller again and click the scan button. Then, locate the:
Fix Host,
Fix Proxy, and
Fix DNS buttons on the right side.

Click each button, starting with "Fix Host"...wait for the fix to complete, then go on to the next button "Fix Proxy" and do the same. In like manner, finish up by clicking the "Fix DNS" button. Remember to wait after each "fix" attempt, for the program to complete the fix.

With each "click" of those buttons, if the fix requires you to reboot at any time, please allow it, then return to the RogueKiller program and continue on with the next "Fix" button in succession. When you finish up, please post the most current log. Thanks!
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #21 on: August 09, 2012, 04:02:10 PM »
Ok, I have posted the last log which came up as well as a final scan log as I wasn't sure which you wanted. Thanks

RogueKiller V7.6.5 [08/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: GCH [Admin rights]
Mode: DNSFix -- Date: 08/09/2012 22:56:42

¤¤¤ Bad processes: 6 ¤¤¤
[ZeroAccess] n -- c:\windows\system32\n -> UNLOADED
[SUSP PATH] ActivFocusHook.dll -- C:\Documents and Settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll -> UNLOADED
[SUSP PATH] ofhfhbfb.exe -- C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] ActivFocusHook.dll -- C:\Documents and Settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll -> UNLOADED

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

Finished : << RKreport[7].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt



RogueKiller V7.6.5 [08/03/2012]  by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: GCH [Admin rights]
Mode: Scan -- Date: 08/09/2012 22:57:30

¤¤¤ Bad processes: 6 ¤¤¤
[ZeroAccess] n -- c:\windows\system32\n -> UNLOADED
[SUSP PATH] ActivFocusHook.dll -- C:\Documents and Settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll -> UNLOADED
[SUSP PATH] ofhfhbfb.exe -- C:\Documents and Settings\GCH\Local Settings\Application Data\gypswbvn\ofhfhbfb.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] ActivFocusHook.dll -- C:\Documents and Settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll -> UNLOADED

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] n : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n --> FOUND
[ZeroAccess][FOLDER] @ : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\L --> FOUND
[ZeroAccess][FOLDER] n : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\n --> FOUND
[ZeroAccess][FOLDER] @ : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\documents and settings\gch\local settings\application data\{589fee8d-25fc-dcf9-677d-43b21ecf4059}\L --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x88036098)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x88036178)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x88045008)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x892A8C50)
SSDT[43] : NtCreateMutant @ 0x8061758E -> HOOKED (Unknown @ 0x87FF0B28)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x87F981D0)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x880450D0)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x87FF0C08)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x87FF0CC8)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x87FDB1F0)
SSDT[114] : NtOpenEvent @ 0x8060EF4C -> HOOKED (Unknown @ 0x87FF0A48)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8806A1E0)
SSDT[129] : NtOpenThreadToken @ 0x805EDF44 -> HOOKED (Unknown @ 0x88044528)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0x87FCF008)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8833A1E8)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x88044448)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x88356828)
SSDT[229] : NtSetInformationThread @ 0x805CC124 -> HOOKED (Unknown @ 0x87FDD1A8)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x87FCF358)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x882FC008)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8A0CCE98)
SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x87FDD0C8)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x88356908)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x88045190)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1   localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 2b466a8773943cb0afa881729127b676
[BSP] 98af99f82e405d54e5627304e2f675c4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[8].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt



Logged

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #22 on: August 10, 2012, 05:14:09 AM »
Excellent, thank you. Now let's try to repair some of the damage this malicious code has caused...

Download Tweaking.com's Windows Repair All-In-One tool and save it to your Desktop. Extract the files by right-clicking on the zipped folder and selecting "Extract All". Open the folder, double-click on the file named Repair_Windows.exe to start the program...and this is what you should see:



Click the Step 2 tab. To perform the disk check you'll need to click the Do It button. The system will need to reboot to perform that function so when it comes back up, return to the tools Step 3 tab to perform a system file check...again, you'll need to click the Do It button to get things started.

When that scan completes, click the Next button, then click the "System Restore" Create button. When the restore point has been created, you can click the ERUNT "Backup" button. ERUNT will create a back up of the system's registry for you. When you've completed that, click the Next button, then click Start and the following screen will appear:



You can see all the items in the left pane which can be fixed using this tool. Click the Start button to begin the repair. Post back when you finish and let me know what issues you are still experiencing. Thanks!
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #23 on: August 10, 2012, 08:06:52 AM »
Hi, I have downloaded it and ran the first scan. I had to run it safe mode as normal start up now just leaves me with just the background wallpaper and nothing else happens. The first scan ran and the system rebooted, I used safe mode again. The second scan, step 3 did not work. The error message was the rpc server is unavailable. I completed the rest of the scans and the repair.

I can still only open in safe mode. Again nothing happens on normal login. I can open windows task manager and nothing looks odd but all I can do is restart from there.
Logged

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #24 on: August 10, 2012, 08:59:43 AM »
Update: I restarted again and the computer is now working in regular mode. I turned the internet back on again and it is working absolutely fine at the moment. Thanks!

I also open the antivirus and it seems to be working fine too. I still can't use the Live Update function though. It says it cannot connect to the server. Should I delete it and use another one? Are there any free ones you recommend?
Logged

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #25 on: August 10, 2012, 02:14:23 PM »
Another update: Firefox has started to bring up the advertising messages again and it is impossible to use, I disconnected the computer from the internet again.
Logged

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #26 on: August 10, 2012, 06:40:09 PM »
Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #27 on: August 13, 2012, 05:04:41 AM »
Still with us pwellby?
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • Posts: 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: [Resolved] MY antivirus is being tampered with
« Reply #28 on: August 18, 2012, 06:06:40 AM »
Due to the lack of feedback this Topic is closed. If you need continued support, please create a new thread detailing what issues you are having.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Logged
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-12

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

Offline pwellby

  • Bronze Member
  • Posts: 34
Re: [Resolved] MY antivirus is being tampered with
« Reply #29 on: August 27, 2012, 10:33:03 AM »
Hi, sorry I had to go away at short notice and where I was access to this forum was blocked on the computers.

I have just followed your instructions by downloading and using Combofix.

Here is the log:

ComboFix 12-08-25.04 - GCH 27/08/2012  17:14:23.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2940.2252 [GMT 1:00]
Running from: c:\documents and settings\GCH\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\19128116
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\GCH\Application Data\mavbaz.dll
c:\documents and settings\GCH\Application Data\ocrog.dll
c:\documents and settings\GCH\Local Settings\Application Data\boyxpvcu.log
c:\documents and settings\GCH\Local Settings\Application Data\cbrctpil.log
c:\documents and settings\GCH\Local Settings\Application Data\ewlvgomo.log
c:\documents and settings\GCH\Local Settings\Application Data\gocjpwkb.log
c:\documents and settings\GCH\Local Settings\Application Data\iibllxjm.log
c:\documents and settings\GCH\Local Settings\Application Data\pltxaawx.log
c:\documents and settings\GCH\Local Settings\Application Data\qcxlvweu.log
c:\documents and settings\GCH\Local Settings\Application Data\rynbtehl.log
c:\documents and settings\GCH\Local Settings\Application Data\uuoscsnp.log
C:\Install.exe
c:\windows\EventSystem.log
c:\windows\system32\SET70.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-27 to 2012-08-27  )))))))))))))))))))))))))))))))
.
.
2012-08-10 13:39 . 2004-06-11 23:33   290304   ----a-w-   C:\subinacl.exe
2012-08-10 13:38 . 2012-08-10 13:38   --------   d-----w-   C:\RegBackup
2012-08-10 13:21 . 2012-08-10 14:01   --------   d-----w-   C:\Tweaking.com_Windows_Repair_Logs
2012-08-10 13:21 . 2012-08-10 13:21   --------   d-----w-   c:\program files\Tweaking.com
2012-08-01 16:39 . 2012-08-01 16:39   --------   d-----w-   c:\program files\PC Tools
2012-08-01 16:35 . 2012-08-01 16:50   --------   d-----w-   c:\program files\Common Files\PC Tools
2012-08-01 16:35 . 2012-06-22 14:34   203120   ----a-w-   c:\windows\system32\drivers\PCTSD.sys
2012-08-01 16:34 . 2012-08-01 16:34   --------   d-----w-   c:\documents and settings\GCH\Application Data\TestApp
2012-08-01 14:00 . 2012-08-01 14:00   --------   d-----w-   c:\documents and settings\GCH\Local Settings\Application Data\Sun
2012-08-01 13:59 . 2012-08-01 13:59   --------   d-----w-   c:\program files\Oracle
2012-08-01 13:59 . 2012-08-01 13:59   --------   d-----w-   c:\documents and settings\GCH\Application Data\Oracle
2012-08-01 13:59 . 2012-07-05 21:07   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2012-07-30 17:30 . 2012-07-30 17:30   --------   d-----w-   c:\documents and settings\GCH\Local Settings\Application Data\Temp
2012-07-30 15:56 . 2012-07-30 15:56   --------   d-----w-   c:\documents and settings\GCH\Local Settings\Application Data\{2BF39ED1-D980-11E1-8270-B8AC6F996F26}
2012-07-29 16:46 . 2012-07-29 16:45   476976   ----a-w-   c:\windows\system32\npdeployJava1.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-09 19:36 . 2010-02-26 08:54   48768   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2012-08-09 19:36 . 2010-02-26 08:54   110952   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-07-05 21:06 . 2011-05-05 18:11   687544   ----a-w-   c:\windows\system32\deployJava1.dll
2012-06-13 13:19 . 2008-07-14 10:57   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-07-14 10:57   1372672   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-07-14 10:57   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-07-14 10:57   152576   ----a-w-   c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2009-08-06 19:24   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2009-08-06 19:24   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2008-07-14 12:05   329240   ----a-w-   c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2008-07-14 12:05   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2008-07-14 12:05   210968   ----a-w-   c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-08-06 19:24   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-08-06 19:24   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2008-07-14 12:05   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2008-07-14 12:05   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 14:19 . 2008-07-14 10:57   97304   ----a-w-   c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-08-06 19:24   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2008-07-14 12:05   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2008-07-14 12:05   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2010-03-18 19:50   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2010-03-18 19:50   214256   ----a-w-   c:\windows\system32\muweb.dll
2012-06-02 14:18 . 2010-03-18 19:50   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2008-07-14 10:57   599040   ----a-w-   c:\windows\system32\crypt32.dll
2012-05-31 03:41 . 2012-07-04 21:10   6762896   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{7A684B2F-BC10-49FE-80C3-E928E0649CF4}\mpengine.dll
2012-05-31 03:41 . 2010-05-19 19:09   6762896   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-07-29 15:26 . 2011-05-01 15:07   136672   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"TPSMain"="TPSMain.exe" [2007-10-12 266240]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-05-27 360448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-03 170520]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-06-10 1092896]
"NDSTray.exe"="NDSTray.exe" [BU]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-03 141848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-03 150040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\GCH\Start Menu\Programs\Startup\
ofhfhbfb.exe [2012-7-28 93452]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2005-04-11 10:26   65536   ----a-w-   c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe"=
.
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [09/11/2007 11:22 74752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [16/07/2012 21:36 106656]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [14/07/2008 13:50 5888]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [26/05/2010 15:21 6144]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\GCH\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\GCH\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\GCH\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\GCH\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/04/2010 12:09 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [16/04/2010 12:09 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [26/04/2012 20:56 113120]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [14/03/2007 20:48 116416]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 11:09]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 11:09]
.
2012-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2010-02-24 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-07-14 12:00]
.
2010-02-24 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-07-14 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gch.org.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.gch.org.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\GCH\Application Data\Mozilla\Firefox\Profiles\evopcicy.default\
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WinDefend
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-27 17:26
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-08-27  17:31:14
ComboFix-quarantined-files.txt  2012-08-27 16:31
.
Pre-Run: 217,519,489,024 bytes free
Post-Run: 220,593,889,280 bytes free
.
- - End Of File - - F1E38A42BC736786886AD3D2E78CBF73
Logged
Pages: 1 [2] 3   Go Up
« previous next »