BleepingComputer.com: CSW.exe removed, Explorer still crashing out, gmer invokes BSOD

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

CSW.exe removed, Explorer still crashing out, gmer invokes BSOD possible system corruption caused by trojans

#16 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 08 May 2011 - 02:26 PM

Hi!

Thanks for that additional information about the Windows Firewall.

We need to update your version of MBAM to the latest version.

Your running version: 1.46 and database version: 4951

The latest version is: 1.50.1.1100 and database version is: 6532.

Please follow these instructions below to update it to the latest version:

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#17 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 08 May 2011 - 08:09 PM

MalwareBytes Anti-Malware updated and running.

ESET found the following:

C:\WINDOWS\eqohifureqijol.dll a variant of Win32/Kryptik.MWB trojan
C:\_OTL\MovedFiles\05062011_174952\C_WINDOWS\Temp\hmvr\setup.exe a variant of Win32/Kryptik.NEO trojan

The MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6534

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

09/05/2011 02:43:16
mbam-log-2011-05-09 (02-43-16).txt

Scan type: Quick scan
Objects scanned: 166549
Time elapsed: 12 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\D1T2EUR7FZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TBXQRHV4KR (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This post has been edited by Norbert W: 08 May 2011 - 08:45 PM

#18 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 09 May 2011 - 03:39 AM

Should I delete the following files?

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ekin.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\edire.exe
C:\WINDOWS\eqohifureqijol.dll
C:\_OTL\MovedFiles\05062011_174952\C_WINDOWS\Temp\hmvr\setup.exe

EDIT: should add that I managed to end the confusion over the firewall by starting it manually, then disabling it. Typing "firewall.cpl" at the run command now brings up the Windows Firewall settings dialog box. However even with it affirmatively disabled ComboFix still fails to run to a conclusion.

This post has been edited by Norbert W: 09 May 2011 - 08:59 AM

#19 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 09 May 2011 - 10:36 AM

Hi!

This file below is currently in quarantine, and will be removed once we clean-up our tools later.
C:\_OTL\MovedFiles\05062011_174952\C_WINDOWS\Temp\hmvr\setup.exe a variant of Win32/Kryptik.NEO trojan


This file below will be removed shortly.

C:\WINDOWS\eqohifureqijol.dll

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:OTL

:Reg

:Files
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ekin.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\edire.exe
C:\WINDOWS\eqohifureqijol.dll
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.



NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#20 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 09 May 2011 - 11:16 AM

OTL log:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ekin.exe not found.
File\Folder C:\Documents and Settings\Default User\Start Menu\Programs\Startup\edire.exe not found.
C:\WINDOWS\eqohifureqijol.dll moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Barnabas Netherwood\Desktop\fix tools\cmd.bat deleted successfully.
C:\Documents and Settings\Barnabas Netherwood\Desktop\fix tools\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Barnabas Netherwood
->Temp folder emptied: 171688 bytes
->Temporary Internet Files folder emptied: 6465896 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 69005792 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1589 bytes

User: Barnabas Netherwood.PC180273018230
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 72.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Barnabas Netherwood
->Flash cache emptied: 0 bytes

User: Barnabas Netherwood.PC180273018230

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05092011_170817

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

Registry entries deleted on Reboot...


Security Check log:

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
River Past Video Cleaner Pro
Java™ 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.2.159.1
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.16) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
``````````End of Log````````````

#21 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 09 May 2011 - 11:26 AM

Hi!

Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform.
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.

  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.



NEXT



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



Update FireFox
You're currently using an outdated version of Firefox. The latest version of Firefox is 3.6.17.

You can get the latest version of Firefox by accessing the Posted Image menu in Firefox and then selecting Posted Image.

Please make sure that you Posted Image again after updating to the latest version to make sure that you have in fact received the latest version.



NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.



NEXT:



What outstanding issues (if any) are you still experiencing with your computer?
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#22 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 09 May 2011 - 11:30 AM

Wow. It seems I have been clobbered by the old "if it ain't broke don't fix it" mentality!

Will follow all your suggestions and report back once done.

#23 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 09 May 2011 - 11:42 AM

:thumbsup:
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#24 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 09 May 2011 - 12:37 PM

As far as I can tell everything is back to normal and behaving itself. I haven't noticed anything quirky like dial-up dialog boxes popping up unannounced for a while now, so hopefully we now have a clean house.

I installed the Foxit PDF reader to try it out. The magic words "small footprint" aided that decision.

Here is that OTL log:

OTL logfile created on: 09/05/2011 18:35:37 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Barnabas Netherwood\Desktop\fix tools
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 535.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 0.90 Gb Free Space | 1.60% Space Free | Partition Type: NTFS

Computer Name: PC180273018230 | User Name: Barnabas Netherwood | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/09 18:33:27 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/05/05 13:02:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Barnabas Netherwood\Desktop\fix tools\OTL.exe
PRC - [2011/02/23 16:04:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/02/23 16:04:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/03 11:52:38 | 000,073,728 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\System32\AppServices.exe
PRC - [2004/08/31 10:23:42 | 000,823,296 | ---- | M] (Maxtor Corporation) -- C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe
PRC - [2004/07/30 16:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
PRC - [2003/11/18 09:31:52 | 000,241,664 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2003/10/10 12:23:48 | 000,094,208 | ---- | M] (Cypress Semiconductor) -- C:\WINDOWS\MXOALDR.EXE
PRC - [2003/07/15 20:09:18 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/06/25 11:24:48 | 000,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
PRC - [2002/10/07 00:23:20 | 000,090,112 | ---- | M] () -- C:\Program Files\HP\Digital Imaging\Unload\HpqCmon.exe
PRC - [2002/08/13 15:30:57 | 000,086,016 | ---- | M] (Iomega) -- C:\Program Files\Iomega\DriveIcons\Imgicon.exe
PRC - [2002/06/03 11:38:12 | 000,049,152 | ---- | M] (ScanSoft, Inc) -- C:\Program Files\ScanSoft\OmniPageSE\opware32.exe


========== Modules (SafeList) ==========

MOD - [2011/05/05 13:02:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Barnabas Netherwood\Desktop\fix tools\OTL.exe
MOD - [2011/02/23 16:04:17 | 000,197,208 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2003/07/15 20:08:52 | 000,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll
MOD - [2002/08/06 14:01:54 | 000,286,720 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\DriveIcons\Imghook.dll
MOD - [2002/06/03 11:37:50 | 000,167,936 | ---- | M] (ScanSoft, Inc) -- C:\Program Files\ScanSoft\OmniPageSE\ophook32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - File not found [Disabled | Stopped] -- -- (Iomega Activity Disk2)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/02/23 16:04:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/04/13 19:45:15 | 000,049,408 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stream.sys -- (Shfsvcxp)
SRV - [2005/05/06 13:49:11 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2004/12/03 11:52:38 | 000,073,728 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\System32\AppServices.exe -- (Iomega App Services)
SRV - [2004/07/30 16:47:36 | 000,110,592 | ---- | M] (Dantz Development Corporation) [Auto | Stopped] -- C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe -- (RetroExp Helper)
SRV - [2004/07/30 16:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) [Auto | Running] -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe -- (RetroExpLauncher)
SRV - [2003/11/03 12:47:08 | 000,053,248 | ---- | M] (GEAR Software) [Disabled | Stopped] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)


========== Driver Services (SafeList) ==========

DRV - [2011/02/23 15:56:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/02/23 15:56:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/02/23 15:55:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/02/23 15:55:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/02/23 15:55:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/02/23 15:54:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/02/23 15:54:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/01 14:31:50 | 000,023,424 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Motousbnet.sys -- (Motousbnet)
DRV - [2010/01/25 19:56:44 | 000,009,472 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motusbdevice.sys -- (motusbdevice)
DRV - [2009/10/27 12:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2009/07/10 13:01:06 | 000,025,856 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motoandroid.sys -- (androidusb)
DRV - [2009/06/19 16:59:34 | 000,019,712 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2009/05/08 11:56:12 | 000,042,752 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motodrv.sys -- (MotDev)
DRV - [2009/01/29 17:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2009/01/29 17:11:20 | 000,006,016 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motfilt.sys -- (BTCFilterService)
DRV - [2009/01/06 03:23:14 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/11/02 15:51:30 | 000,006,400 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motswch.sys -- (MotoSwitchService)
DRV - [2005/10/15 19:12:58 | 000,215,424 | ---- | M] (clievideo.com) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\palmcamusb.sys -- (PALMCAMUSB)
DRV - [2005/02/06 15:23:34 | 000,022,272 | ---- | M] (Doug Fetter Software Wizardry) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbmn1x1.sys -- (USBMN1X1)
DRV - [2005/02/06 15:23:34 | 000,013,504 | ---- | M] (MIDIMAN) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb11ldr.sys -- (USB11LDR)
DRV - [2004/12/03 11:52:50 | 000,050,898 | ---- | M] (Iomega Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iomdisk.sys -- (iomdisk)
DRV - [2004/08/09 18:49:40 | 000,014,592 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/23 21:11:42 | 000,020,272 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\Drivers\Parclass.sys -- (Parclass)
DRV - [2004/04/30 09:37:02 | 000,160,640 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\a347bus.sys -- (a347bus)
DRV - [2004/04/30 09:33:00 | 000,005,248 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\a347scsi.sys -- (a347scsi)
DRV - [2004/04/29 15:10:06 | 000,274,688 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA)
DRV - [2004/04/29 15:09:20 | 000,292,352 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD)
DRV - [2004/04/02 02:07:44 | 000,163,390 | R--- | M] (Roland Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rdwm1046.sys -- (RDID1046)
DRV - [2004/03/03 22:30:54 | 000,125,184 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\imagesrv.sys -- (imagesrv)
DRV - [2004/03/02 07:11:00 | 000,169,086 | R--- | M] (Roland Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rdwm1006.sys -- (RD1006)
DRV - [2003/12/04 13:29:58 | 000,286,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2003/11/25 12:22:54 | 000,068,352 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2003/10/10 12:23:48 | 000,032,640 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MXOFX.SYS -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2003/08/18 13:57:52 | 000,007,080 | ---- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2003/08/15 16:10:00 | 000,068,480 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EMCR7SK.sys -- (EMCR)
DRV - [2003/07/16 07:27:40 | 000,043,264 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2003/06/06 11:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\eabusb.sys -- (eabusb)
DRV - [2003/05/05 14:32:06 | 000,067,072 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Wibukey.sys -- (WIBUKEY)
DRV - [2003/05/01 14:42:00 | 000,030,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\strmdisp.sys -- (StreamDispatcher)
DRV - [2003/05/01 14:40:00 | 000,165,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2003/05/01 14:38:00 | 000,622,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/05/01 14:37:00 | 001,107,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/04/02 11:02:26 | 000,007,040 | ---- | M] (EnE Technology Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\ENECBPTH.sys -- (ENECBPTH)
DRV - [2001/08/17 09:46:40 | 000,006,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enum1394.sys -- (ENUM1394)
DRV - [2001/08/17 08:13:20 | 000,027,164 | ---- | M] (Xircom, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CE3N5.SYS -- (CE3)
DRV - [2001/01/03 00:53:30 | 000,019,677 | ---- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xbreader.sys -- (xbreader) MaxDrive XBox Driver (xbreader.sys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
FF - prefs.js..network.proxy.http: "95.48.212.219"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/09 18:33:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/09 18:33:46 | 000,000,000 | ---D | M]

[2011/01/11 01:42:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Mozilla\Extensions
[2011/01/11 01:42:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Mozilla\Extensions\celtx@celtx.com
[2011/05/09 18:22:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Mozilla\Firefox\Profiles\q0cahxoy.default\extensions
[2010/10/23 16:31:36 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Mozilla\Firefox\Profiles\q0cahxoy.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2011/03/12 19:14:57 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Mozilla\Firefox\Profiles\q0cahxoy.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2011/05/09 18:24:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/09 18:02:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2011/05/09 18:02:15 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/05/09 17:08:49 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe (Iomega Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\HpqCmon.exe ()
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe (Iomega)
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Imgicon.exe (Iomega)
O4 - HKLM..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\System32\MSTMON_Y.EXE (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)
O4 - HKLM..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe (Maxtor Corporation)
O4 - HKLM..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE (Cypress Semiconductor)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe (ScanSoft, Inc)
O4 - HKLM..\Run: [RetroExpress] C:\Program Files\Dantz\Retrospect Express HD\RetroExpress.exe (Dantz Development Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsubleepa Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk = C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe (Extensis Products Group)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files\DVD Region-Free\DVDShell.dll (Fengtao Software)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/04/22 20:46:35 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: - File not found
Drivers32: midi - C:\WINDOWS\System32\usbmn1x1.dll (Doug Fetter Software Wizardry)
Drivers32: midi1 - C:\WINDOWS\System32\usbmn1x1.dll (Doug Fetter Software Wizardry)
Drivers32: midi2 - C:\WINDOWS\System32\rddv1046.dll (Roland Corporation)
Drivers32: mixer9 - C:\WINDOWS\System32\rddv1006.dll (Roland Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Ligos Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll (Ligos Corporation)
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll (Ligos Corporation)
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Ligos Corporation)
Drivers32: VIDC.VIFP - C:\WINDOWS\System32\VFCodec.dll ()
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: wave - C:\WINDOWS\System32\rddv1046.dll (Roland Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/05/09 18:31:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Foxit Software
[2011/05/09 18:31:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader
[2011/05/09 18:29:37 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2011/05/09 18:03:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/05/09 09:54:10 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/05/08 20:44:37 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/06 19:02:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/05/06 18:55:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/06 18:55:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/06 18:55:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/06 18:55:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/06 18:55:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/06 17:49:52 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/06 17:44:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Barnabas Netherwood\UserData
[2011/04/27 14:28:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/27 14:26:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/24 12:43:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/22 20:46:35 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/04/22 18:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\QuickScan
[2011/04/22 18:24:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/22 18:20:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2011/04/22 18:20:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2011/04/22 16:58:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/22 11:42:47 | 000,000,000 | ---D | C] -- C:\TRK-INFECTED
[2011/04/21 02:40:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Barnabas Netherwood\Desktop\GB related
[2010/09/24 22:22:36 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2010/09/24 22:22:36 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2007/02/28 15:28:56 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Barnabas Netherwood\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2011/05/09 18:34:01 | 000,001,032 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2700728924-2894260721-178917511-1007UA.job
[2011/05/09 18:17:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/09 18:17:26 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/09 17:08:49 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/08 22:37:18 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\Google Chrome.lnk
[2011/05/08 22:37:18 | 000,002,364 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/08 18:02:16 | 004,342,022 | R--- | M] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\ComboFix.exe
[2011/05/08 14:23:35 | 000,000,054 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\defogger_reenable
[2011/05/08 14:10:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/07 12:40:31 | 000,000,980 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2700728924-2894260721-178917511-1007Core.job
[2011/05/06 19:03:09 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/27 14:26:15 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 16:50:01 | 000,015,899 | ---- | M] () -- C:\WINDOWS\MSTMON_Y.INI
[2011/04/21 03:22:24 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/04/21 03:22:20 | 000,059,392 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 02:09:41 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/04/20 14:17:06 | 003,718,094 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\deposit-bond-scheme.pdf
[2011/04/20 14:16:10 | 000,041,168 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\h_tenancy_deposits.pdf
[2011/04/15 12:58:53 | 000,210,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/15 12:41:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 16:21:48 | 000,337,681 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\My Documents\GODKING ASSEMBLY 2.modded.C2.pdf
[2011/04/14 16:21:48 | 000,337,681 | ---- | M] () -- C:\Documents and Settings\Barnabas Netherwood\My Documents\God Grant Us Safe Teleport.pdf

========== Files Created - No Company Name ==========

[2011/05/08 16:51:00 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/08 14:23:33 | 000,000,054 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\defogger_reenable
[2011/05/06 19:03:09 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/05/06 19:03:07 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/05/06 18:55:54 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/06 18:55:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/06 18:55:54 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/06 18:55:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/06 18:55:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/06 17:41:54 | 004,342,022 | R--- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\ComboFix.exe
[2011/04/20 14:17:04 | 003,718,094 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\deposit-bond-scheme.pdf
[2011/04/20 14:16:07 | 000,041,168 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Desktop\h_tenancy_deposits.pdf
[2011/04/14 16:22:57 | 000,337,681 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\My Documents\God Grant Us Safe Teleport.pdf
[2011/04/14 16:21:48 | 000,337,681 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\My Documents\GODKING ASSEMBLY 2.modded.C2.pdf
[2011/03/25 13:24:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PasswordsPlus.INI
[2011/03/17 03:09:31 | 000,161,084 | ---- | C] () -- C:\WINDOWS\DirectShow Detective Uninstaller.exe
[2011/03/10 17:58:43 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2011/02/11 17:16:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WATCH.INI
[2011/02/10 19:41:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ui.INI
[2011/01/25 03:16:55 | 000,015,899 | ---- | C] () -- C:\WINDOWS\MSTMON_Y.INI
[2011/01/25 03:16:55 | 000,012,244 | ---- | C] () -- C:\WINDOWS\MSUMLT_Y.INI
[2010/11/18 00:55:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/30 16:43:18 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2010/05/14 13:49:21 | 000,065,793 | ---- | C] () -- C:\WINDOWS\System32\esfw7a.bin
[2010/04/29 17:27:40 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\.sunvox_pateditor
[2010/01/10 20:18:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/09 18:53:22 | 003,997,696 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2009/12/22 15:15:27 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2009/11/20 02:50:11 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/12/12 03:35:40 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2008/03/26 01:04:42 | 000,000,342 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/01/23 15:28:27 | 000,000,004 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
[2008/01/15 05:19:08 | 000,000,562 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\AutoGK.ini
[2007/06/12 12:09:20 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2007/06/12 12:09:20 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2007/06/12 12:09:20 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2007/06/12 12:09:20 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2007/06/12 12:09:20 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2007/06/12 12:09:20 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2007/06/12 12:09:20 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2007/06/12 12:09:20 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2007/06/12 12:09:20 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2007/06/12 12:09:20 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2007/06/12 12:09:20 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2007/06/12 12:09:20 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2007/06/12 12:09:20 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2007/06/12 12:09:20 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2007/06/12 12:09:20 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2007/06/12 12:09:20 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2007/04/29 12:20:59 | 001,232,803 | ---- | C] () -- C:\WINDOWS\LightWave 3D 9.2 Uninstaller.exe
[2007/03/28 15:12:20 | 000,165,042 | ---- | C] () -- C:\WINDOWS\Video Perspective Uninstaller.exe
[2007/03/22 03:56:28 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\MMSwitch.dll
[2007/03/22 03:56:28 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\MMAVILNG.exe
[2007/02/28 15:28:56 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\ezpinst.exe
[2007/02/28 15:28:56 | 000,007,824 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\pcouffin.cat
[2007/02/28 15:28:56 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\pcouffin.inf
[2006/11/28 15:53:51 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7C.DLL
[2006/11/02 03:08:42 | 000,000,059 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2006/11/02 03:08:42 | 000,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
[2006/11/02 03:08:42 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini
[2006/09/10 16:35:33 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2006/09/10 16:35:33 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/09/10 16:35:33 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/09/10 16:35:33 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2006/09/10 16:35:33 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/08/11 13:46:09 | 000,000,477 | ---- | C] () -- C:\WINDOWS\DVDFabGold.INI
[2006/07/21 13:16:44 | 000,000,147 | ---- | C] () -- C:\WINDOWS\Muxman.ini
[2006/07/02 19:12:18 | 000,038,401 | R--- | C] () -- C:\WINDOWS\System32\RdCi1006.dll
[2006/07/02 19:12:17 | 000,004,088 | R--- | C] () -- C:\WINDOWS\System32\Rd4t1006.DAT
[2006/07/02 18:58:29 | 000,038,401 | R--- | C] () -- C:\WINDOWS\System32\RdCi1046.dll
[2006/07/02 18:58:28 | 000,004,088 | R--- | C] () -- C:\WINDOWS\System32\Rd4t1046.DAT
[2006/06/23 14:29:54 | 000,002,501 | ---- | C] () -- C:\WINDOWS\Palm OS Emulator.ini
[2006/06/13 11:59:09 | 000,090,112 | ---- | C] () -- C:\WINDOWS\RSetupPalmEn.exe
[2006/06/09 10:27:22 | 000,000,075 | ---- | C] () -- C:\WINDOWS\FileNamesinQueue.ini
[2006/05/12 18:16:27 | 000,000,906 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Application Data\DVDSubEdit.ini
[2006/05/12 14:04:34 | 000,163,426 | ---- | C] () -- C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
[2006/05/08 12:53:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2006/04/14 01:35:26 | 000,041,984 | ---- | C] () -- C:\WINDOWS\System32\KEYSETUP.EXE
[2006/04/14 01:35:26 | 000,030,720 | ---- | C] () -- C:\WINDOWS\System32\PARCLASS.EXE
[2006/04/14 01:35:26 | 000,012,048 | ---- | C] () -- C:\WINDOWS\System32\PPMON.EXE
[2006/04/14 01:35:26 | 000,007,440 | ---- | C] () -- C:\WINDOWS\System32\PPMON.DLL
[2006/03/17 12:17:40 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\mulch100.ini
[2005/12/29 17:18:37 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2005/12/29 17:18:37 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2005/12/29 17:18:36 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2005/12/29 17:00:40 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE RX420EI.ini
[2005/12/12 15:49:50 | 000,002,076 | ---- | C] () -- C:\WINDOWS\energyXT.ini
[2005/11/06 15:55:59 | 000,000,448 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2005/11/06 15:20:54 | 000,000,133 | ---- | C] () -- C:\WINDOWS\VobEdit.INI
[2005/09/13 20:17:05 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2005/07/16 10:57:57 | 012,550,144 | ---- | C] () -- C:\WINDOWS\CS-80V(10 voices).dll
[2005/04/25 13:18:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\graphedt.INI
[2005/04/12 13:36:58 | 000,000,525 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2005/04/07 15:18:42 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/03/31 02:40:30 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\BladeEnc.dll
[2005/03/31 02:40:29 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\ShnDll32.dll
[2005/03/19 20:51:58 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\msvcsv60.dll
[2005/03/19 20:51:58 | 000,000,032 | ---- | C] () -- C:\WINDOWS\msocreg32.dat
[2005/02/22 02:28:35 | 000,000,253 | ---- | C] () -- C:\WINDOWS\WSHORTEN.INI
[2005/02/16 01:22:05 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\FDlg.dll
[2005/02/04 04:59:48 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\metaflac.exe
[2005/02/04 04:59:44 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\flac.exe
[2005/01/31 15:47:04 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/01/18 14:13:09 | 000,000,091 | ---- | C] () -- C:\WINDOWS\quadriga.ini
[2005/01/18 14:10:21 | 000,000,259 | ---- | C] () -- C:\WINDOWS\boxworld.ini
[2005/01/14 14:16:27 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/01/14 14:03:30 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2005/01/12 13:16:10 | 000,000,028 | ---- | C] () -- C:\WINDOWS\MotionDVSTUDIO.INI
[2005/01/12 12:55:26 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\P_MPEG4.dll
[2005/01/11 13:30:04 | 000,118,784 | ---- | C] () -- C:\WINDOWS\dsdxirmv.exe
[2005/01/02 01:36:38 | 000,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2005/01/01 00:35:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/12/28 00:56:57 | 000,059,392 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/22 10:36:43 | 000,034,468 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2004/12/22 10:36:43 | 000,028,917 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2004/12/22 09:02:47 | 000,034,468 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat.temp
[2004/12/22 09:02:47 | 000,028,917 | ---- | C] () -- C:\WINDOWS\hpoins03.dat.temp
[2004/12/22 04:41:29 | 000,000,142 | ---- | C] () -- C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\fusioncache.dat
[2004/12/22 04:21:53 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/12/22 04:21:53 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/12/22 04:21:53 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/12/22 04:21:53 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/12/22 04:21:53 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/12/22 04:21:53 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/12/20 11:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 11:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/10/15 10:43:12 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ArtFfct.dll
[2004/08/26 12:53:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\MXONmSpace.dll
[2004/08/26 12:49:52 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\MXONmSpMFC.dll
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/06/14 10:55:52 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\nlame.dll
[2004/06/14 10:45:38 | 000,782,336 | ---- | C] () -- C:\WINDOWS\System32\pqdvdb.dll
[2004/06/14 10:45:38 | 000,654,336 | ---- | C] () -- C:\WINDOWS\System32\pqdvdf.exe
[2003/07/16 14:21:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/07/16 14:21:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/07/16 14:18:46 | 000,381,094 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 14:18:46 | 000,053,276 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 14:13:08 | 000,210,488 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 14:09:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/07/16 14:06:40 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/05/03 16:21:34 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2003/05/03 16:09:54 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/05/03 16:09:13 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/03/31 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/03/31 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/03/31 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/03/31 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/03/31 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/03/31 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/03/31 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/10/15 23:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002/06/18 09:04:38 | 000,001,783 | ---- | C] () -- C:\Program Files\Enhancements_Import_1_0.dtd
[2002/06/17 20:36:10 | 000,482,816 | ---- | C] () -- C:\WINDOWS\System32\VFCodec.dll
[2002/05/28 09:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 09:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== LOP Check ==========

[2005/04/09 00:18:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2010/10/05 16:38:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/05/06 01:13:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2007/05/16 15:01:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cakewalk
[2009/01/06 03:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DataViz
[2009/05/06 12:06:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Final Draft
[2009/01/10 01:37:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FlashFXP
[2009/01/06 03:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2006/09/10 16:35:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
[2005/01/12 13:14:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
[2010/11/18 02:52:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2005/04/21 00:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2011/05/09 18:27:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RetroExp
[2006/05/12 15:06:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\River Past G4
[2011/03/17 03:09:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\River Past G5
[2010/11/22 14:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sound Quest
[2005/04/12 13:37:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2005/04/12 13:37:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2008/01/23 14:25:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TreeCardGames
[2005/12/29 17:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2005/12/14 21:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Ableton
[2006/09/28 02:18:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Active Disk
[2005/12/22 02:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Applied Acoustics Systems
[2008/09/19 02:32:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Archibald's Adventures
[2007/05/18 12:31:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Cakewalk
[2006/12/12 15:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Canon
[2009/01/13 01:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\CoSoSys
[2010/01/15 04:15:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\enchant
[2010/05/14 14:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\EPSON
[2005/10/26 14:51:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\FabFilter
[2005/01/01 04:10:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Final Draft
[2011/05/09 18:31:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Foxit Software
[2010/05/11 16:51:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\gtk-2.0
[2009/01/06 03:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\HotSync
[2009/01/13 01:50:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\ImgBurn
[2004/12/22 05:10:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\InterVideo
[2004/12/24 12:21:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Leadertech
[2011/01/27 13:42:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Local
[2005/10/08 00:54:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\MCMPEGEnc
[2007/05/18 11:37:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\MoyeaFLV2Video
[2005/11/14 15:37:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\NetMedia Providers
[2007/06/12 12:09:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Panasonic
[2010/11/18 02:55:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Panda Security
[2008/07/15 02:54:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Pegasys Inc
[2010/01/08 15:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Program Files
[2005/11/14 15:37:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Publish Providers
[2005/04/21 01:01:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Quark
[2009/11/14 03:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\REAPER
[2006/05/12 15:06:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\River Past G4
[2011/03/17 03:11:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\River Past G5
[2005/04/12 13:37:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\ScanSoft
[2008/01/23 14:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\SolSuite
[2005/02/13 14:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Sony
[2005/05/01 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Steinberg
[2011/04/28 00:46:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Thinstall
[2010/01/09 03:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Toon Boom Animation
[2010/09/24 21:58:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\uTorrent
[2010/12/12 22:16:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Vso
[2005/12/27 17:46:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barnabas Netherwood\Application Data\Waves Audio

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/05/06 20:50:10 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/05/09 18:33:32 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/05/09 18:33:32 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/05/09 18:33:32 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/05/09 18:33:27 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/05/09 18:33:27 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/05/09 18:33:27 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/05/06 20:50:10 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/05/06 20:50:10 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/05/06 20:50:10 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Barnabas Netherwood\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/05/06 20:50:10 | 001,010,232 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 12:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 12:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 12:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2011/02/14 13:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2003/03/31 03:00:00 | 000,094,208 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-07 11:35:53

< End of report >

#25 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 09 May 2011 - 12:43 PM

Hello,

Your logs appear to be clean, so if you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.



Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Commands
[ClearAllRestorePoints]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.



NEXT:



OTL Clean-Up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


NEXT:



All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===



Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



Extra Goodies

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates


  • Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.


  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome and Opera.

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#26 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 10 May 2011 - 08:05 AM

I have implemented the final measures you suggested.

OTL log:

========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.22.3 log created on 05102011_143122


Okay, it's dumb question time:

When all my problems kicked off there were two external hard drives connected and a network link (read/write access) to a partition on another computer. Should I scan these immediately after reconnecting them, and if so with what? Or do rootkits just sit on the primary partition and nowhere else?

Other than that, I think the issues have all been resolved and my computer is no longer behaving strangely. I am especially grateful to be free of the random freeze-ups and BSODs that were plaguing me at the start of the problem. Now I can get on with using the computer properly again.

Thank you very much for all your help and assistance.

EDIT: Perhaps I spoke too soon. I think the computer is mostly back to normal, however I did just get a random freeze-up. The only programs running were Windows Explorer and Firefox. I was listening to some streaming audio from the BBC iPlayer. There were one or two uncharacteristic audio glitches after which I found that the normal mouse arrow had changed to a horizontal arrow pointing to the left and to the right (like a resize pointer.) Additionally I could not interact with anything with the mouse, Alt-Tab had no effect and I couldn't bring up the Task Manager. The audio kept playing, however. Once it had finished the computer was still in the same state so I had to force shutdown by holding down the power key. This computer never behaved like this prior to the Rootkit taking hold. Is it possible that there might be some kind of nastiness or resource clash still lurking in the system somewhere?

This post has been edited by Norbert W: 10 May 2011 - 11:01 AM

#27 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 10 May 2011 - 11:28 AM

Hi!

Quote

When all my problems kicked off there were two external hard drives connected and a network link (read/write access) to a partition on another computer. Should I scan these immediately after reconnecting them, and if so with what? Or do rootkits just sit on the primary partition and nowhere else?
I'd scan the external drives with an online scanner like ESET Online Scanner.

Quote

This computer never behaved like this prior to the Rootkit taking hold. Is it possible that there might be some kind of nastiness or resource clash still lurking in the system somewhere?
I'd wait to see if this occurs again.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#28 User is offline   Norbert W 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 23
  • Joined: 27-April 11

Posted 10 May 2011 - 12:12 PM

Okay, thanks for that. Am currently running ESET. Hopefully all will be well!

#29 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 10 May 2011 - 12:17 PM

:thumbsup:

This post has been edited by SweetTech: 10 May 2011 - 12:17 PM

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#30 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 14 May 2011 - 01:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users