Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrendMicro picked up [Mal_Otorun1]


  • This topic is locked This topic is locked
18 replies to this topic

#1 Severas

Severas

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 16 July 2009 - 07:48 PM

Referred from: http://www.bleepingcomputer.com/forums/t/241991/trendmicro-picked-up-mal-otorun1/ ~ OB

DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 20:46:01.75 on 16/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.2046.1305 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Link\AirPremier AG DWL-AG132 Utility\AirPMCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunesKeys\iTunesKeys.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Project64 1.6\Project64.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-

packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [D-Link AirPremier AG DWL-AG132 Utility] c:\program files\d-link\airpremier ag dwl-ag132 utility\AirPMCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218151252906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\41i7ssdx.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-

nms0808270_sua_900\npoctoshape.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2005-3-8 377920]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2005-3-8 43392]
S3 NetHook_ControlCenter;ArtOfPing ControlCenter;\??\c:\program files\autotunnel gg\controlcenter.sys --> c:\program files\autotunnel gg\ControlCenter.sys

[?]
S3 NetHook_Interceptor;ArtOfPing TDI Interceptor;\??\c:\program files\autotunnel gg\interceptor.sys --> c:\program files\autotunnel gg\Interceptor.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-16 13:23 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-16 13:23 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-16 13:23 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 01:23 --d----- c:\program files\Trend Micro
2009-07-15 23:19 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-15 17:14 --d----- c:\program files\SUPERAntiSpyware
2009-07-15 16:13 --d----- c:\documents and settings\hp_administrator\DoctorWeb
2009-07-15 15:11 --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-07-15 15:11 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-15 14:27 a-dshr-- C:\autorun.inf
2009-07-12 22:08 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-07-12 22:08 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-07-12 22:07 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-12 01:57 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-07-12 01:57 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-07-12 01:57 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-07-12 01:54 62,976 -------- c:\windows\system32\dllcache\cdrom.sys
2009-07-12 01:54 465,920 -------- c:\windows\system32\imapi2fs.dll
2009-07-12 01:54 465,920 -------- c:\windows\system32\dllcache\imapi2fs.dll
2009-07-12 01:54 317,952 -------- c:\windows\system32\imapi2.dll
2009-07-12 01:54 317,952 -------- c:\windows\system32\dllcache\imapi2.dll
2009-06-28 20:31 --d----- c:\program files\Ventrilo
2009-06-26 22:57 --d----- c:\program files\Activision

==================== Find3M ====================

2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-24 23:36 81,984 a------- c:\windows\system32\bdod.bin
2008-11-27 23:29 486 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-08-18 10:24 22,328 a------- c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
2006-01-12 07:03 22 a--sh--- c:\windows\sminst\HPCD.SYS
2008-09-19 09:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920

\index.dat

============= FINISH: 20:46:29.53 ===============

Attached Files


Edited by Orange Blossom, 16 July 2009 - 07:52 PM.


BC AdBot (Login to Remove)

 


m

#2 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 24 July 2009 - 01:57 PM

I did a virus scan today and I picked up another trojan. I got TROJ SWIZZOR.TND showing up. When I scanned using Trend Micro, Mal_Otorun1 had 2 infections showing, both showing dbyitxf.inf in C:\Program Files\Common Files\Microsoft Shared and C:\Program Files\Common Files\System. Both files are hidden and didn't show up until I ticked off the option to hide important system files.

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:31 PM

Posted 26 July 2009 - 02:07 PM

Hello "Severas" and welcome to BleepingComputer forums,

In case you are being helped elsewhere, then please let me know right away by replying here.

IF you are not being helped elsewehere, please DO proceed forward with these steps:

Your logs showed some peer-to-peer filesharing apps, like uTorrent. I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.
"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Good & bad P2P Programs
http://www.malwareremoval.com/p2pindex.php

I advise you de-install uTorrent before we get going, and then restart the system fresh.

Close all browsers and all other programs that you have started.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Next, Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=


Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.

    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    DO keep the firewall on. But be sure BitDefender AV is temporarily OFF.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the Sysclean log
and C:\Combofix.txt

Edited by Maurice Naggar, 26 July 2009 - 02:19 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 26 July 2009 - 07:22 PM

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-07-26, 15:24:12, Auto-clean mode specified.
2009-07-26, 15:24:12, Initialized Rootkit Driver version 1.6.0.1059.
2009-07-26, 15:24:12, Running scanner "C:\DCE\TSC.BIN"...
2009-07-26, 15:24:32, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-07-26, 15:24:32, TSC Log:

D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : V e r s i o n i s t o o o l d , 1 . 6 . 0 - 1 0 5 9 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S u n J u l 2 6 2 0 0 9 1 5 : 2 4 : 1 7





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 5 0 ) [ s u c c e s s ]





C o m p l e t e t i m e : S u n J u l 2 6 2 0 0 9 1 5 : 2 4 : 3 2


E x e c u t e p a t t e r n c o u n t ( 3 0 6 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-07-26, 15:24:32, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-07-26, 16:50:15, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-07-26, 16:50:15, VSCANTM Log:

2009-07-26, 16:50:15, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/26/2009 15:24:32
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 315 (467593/467593 Patterns) (2009/07/25) (631500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.315

C:\Program Files\Common Files\Microsoft Shared\dbyitxf.inf [Mal_Otorun1]
C:\Program Files\Common Files\System\dbyitxf.inf [Mal_Otorun1]
155288 files have been read.
155288 files have been checked.
155095 files have been scanned.
364361 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/26/2009 16:50:14 1 hour 25 minutes 42 seconds (5141.97 seconds) has elapsed.(33.112 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-26, 16:50:15, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/26/2009 15:24:32
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 315 (467593/467593 Patterns) (2009/07/25) (631500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.315

Fail to Clean [ Mal_Otorun1]( 1) from C:\Program Files\Common Files\Microsoft Shared\dbyitxf.inf
Fail to Clean [ Mal_Otorun1]( 1) from C:\Program Files\Common Files\System\dbyitxf.inf
155288 files have been read.
155288 files have been checked.
155095 files have been scanned.
364361 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/26/2009 16:50:14 1 hour 25 minutes 42 seconds (5141.97 seconds) has elapsed.(33.112 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-26, 16:50:15, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/26/2009 15:24:32
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 315 (467593/467593 Patterns) (2009/07/25) (631500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.315

Fail to Clean [ Mal_Otorun1]( 1) from C:\Program Files\Common Files\Microsoft Shared\dbyitxf.inf
Fail to Clean [ Mal_Otorun1]( 1) from C:\Program Files\Common Files\System\dbyitxf.inf
155288 files have been read.
155288 files have been checked.
155095 files have been scanned.
364361 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/26/2009 16:50:14 1 hour 25 minutes 42 seconds (5141.97 seconds) has elapsed.(33.112 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-26, 16:50:15, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-07-26, 17:23:03, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-07-26, 17:23:03, VSCANTM Log:

2009-07-26, 17:23:03, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/26/2009 16:50:16
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 315 (467593/467593 Patterns) (2009/07/25) (631500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.315

17306 files have been read.
17306 files have been checked.
17305 files have been scanned.
101781 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/26/2009 17:23:03 32 minutes 46 seconds (1966.41 seconds) has elapsed.(113.626 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-26, 17:23:03, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/26/2009 16:50:16
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 315 (467593/467593 Patterns) (2009/07/25) (631500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.315

17306 files have been read.
17306 files have been checked.
17305 files have been scanned.
101781 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/26/2009 17:23:03 32 minutes 46 seconds (1966.41 seconds) has elapsed.(113.626 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-26, 17:23:03, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/26/2009 16:50:16
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 315 (467593/467593 Patterns) (2009/07/25) (631500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.315

17306 files have been read.
17306 files have been checked.
17305 files have been scanned.
101781 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/26/2009 17:23:03 32 minutes 46 seconds (1966.41 seconds) has elapsed.(113.626 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-26, 17:23:04, Running SSAPI scanner ""...
2009-07-26, 18:13:50, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 8.05
SSAPI Anti-Rootkit Version: 1.6.0.1059

Spyware Scan Started: 07/26/2009 17:23:07

Detected: 0 items.

Spyware Scan Ended: 07/26/2009 18:13:50
Scan Complete. Time=3045.520020.


ComboFix 09-07-25.08 - HP_Administrator 26/07/2009 18:53.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.2046.1256 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\RenamedCF.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\201826.msi
c:\windows\Installer\201829.msi
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-26 19:14 . 2009-07-26 22:46 -------- d-----w- C:\DCE
2009-07-26 19:10 . 2009-07-26 19:10 -------- d-----w- c:\program files\ERUNT
2009-07-23 02:48 . 2009-07-23 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-23 02:47 . 2009-07-23 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-07-21 19:24 . 2009-07-21 19:27 -------- d-----w- c:\program files\MKVtoolnix
2009-07-21 03:44 . 2008-10-02 04:13 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-18 05:44 . 2009-07-26 19:09 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-18 05:34 . 2009-07-18 05:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-18 05:34 . 2009-07-18 05:34 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-18 05:34 . 2009-07-18 05:37 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-18 05:34 . 2009-07-18 05:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-18 05:34 . 2009-07-26 21:47 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-18 05:34 . 2009-07-18 05:34 -------- d-----w- c:\program files\AVG
2009-07-18 05:34 . 2009-07-18 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-16 17:39 . 2009-07-16 19:36 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 17:23 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-16 17:23 . 2009-07-16 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 17:23 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-16 05:23 . 2009-07-16 05:23 -------- d-----w- c:\program files\Trend Micro
2009-07-15 21:14 . 2009-07-16 17:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-15 20:13 . 2009-07-15 20:13 -------- d-----w- c:\documents and settings\HP_Administrator\DoctorWeb
2009-07-15 19:11 . 2009-07-15 19:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-07-15 19:11 . 2009-07-15 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-15 18:16 . 2009-07-15 18:16 1878984 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-15 16:46 . 2009-07-15 16:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Blizzard Entertainment
2009-07-14 03:46 . 2009-07-14 03:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Bouh2
2009-07-12 05:57 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-07-12 05:54 . 2008-05-02 10:49 62976 ------w- c:\windows\system32\dllcache\cdrom.sys
2009-07-12 05:54 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2009-07-12 05:54 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\dllcache\imapi2fs.dll
2009-07-12 05:54 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2009-07-12 05:54 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\dllcache\imapi2.dll
2009-06-29 00:31 . 2009-06-29 00:31 -------- d-----w- c:\program files\Ventrilo
2009-06-27 02:57 . 2009-06-27 02:57 -------- d-----w- c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 19:09 . 2008-08-09 14:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-07-26 18:39 . 2009-03-05 20:17 1 ----a-w- c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-21 01:54 . 2008-08-09 16:06 -------- d-----w- c:\program files\World of Warcraft
2009-07-20 15:24 . 2008-08-09 18:32 -------- d-----w- c:\program files\Orbitdownloader
2009-07-20 04:02 . 2008-08-09 15:40 -------- d-----w- c:\program files\Diablo II
2009-07-18 05:45 . 2009-03-26 03:51 -------- d-----w- c:\program files\PurgeIE
2009-07-16 17:38 . 2008-08-09 20:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-16 17:21 . 2009-02-12 00:04 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-07-13 02:08 . 2009-07-13 02:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-07-13 02:08 . 2009-07-13 02:08 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-07-13 02:07 . 2009-07-13 02:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-12 05:57 . 2009-07-12 05:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-07-12 05:57 . 2009-07-12 05:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-07-11 20:30 . 2008-08-09 19:21 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-11 16:07 . 2008-08-10 17:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-07-11 04:04 . 2008-08-09 15:26 -------- d-----w- c:\program files\Starcraft
2009-07-11 01:08 . 2008-08-09 15:30 -------- d-----w- c:\program files\Warcraft III
2009-07-07 20:17 . 2009-04-15 13:38 -------- d-----w- c:\program files\Curse
2009-06-27 03:11 . 2006-11-19 05:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 13:29 . 2009-01-18 19:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\mIRC
2009-06-26 13:19 . 2009-01-18 19:25 -------- d-----w- c:\program files\mIRC
2009-06-21 03:17 . 2006-11-19 04:59 -------- d-----w- c:\program files\Java
2009-06-21 03:16 . 2009-06-21 03:16 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-16 14:36 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-05 22:30 . 2009-06-05 22:30 -------- d-----w- c:\program files\Realtek
2009-06-03 19:09 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 15:33 . 2008-12-08 16:16 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 14:50 . 2009-05-13 14:50 12862 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-22 06:22 . 2008-08-09 14:45 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-03-05 22:08 . 2009-04-25 01:56 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-01-12 11:03 . 2008-08-07 21:42 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[-] 2005-03-14 08:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-08-09 18:40 360320 3ADCE4790F591BF160A94F6F08039577 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-14 04:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2008-09-21 23:49 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-09-21 23:49 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-03 288048]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"D-Link AirPremier AG DWL-AG132 Utility"="c:\program files\D-Link\AirPremier AG DWL-AG132 Utility\AirPMCFG.exe" [2007-11-12 1732608]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-18 1948440]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-26 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-03 18085888]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-19 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-19 27136]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-19 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-18 05:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Product Registration.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Product Registration.lnk
backup=c:\windows\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\HP_Administrator\\My Documents\\utorrent.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/07/2009 1:34 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/07/2009 1:34 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/07/2009 1:34 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/07/2009 1:34 AM 298776]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [08/03/2005 12:50 PM 377920]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [08/03/2005 12:53 PM 43392]
S3 NetHook_ControlCenter;ArtOfPing ControlCenter;\??\c:\program files\AutoTunnel GG\ControlCenter.sys --> c:\program files\AutoTunnel GG\ControlCenter.sys [?]
S3 NetHook_Interceptor;ArtOfPing TDI Interceptor;\??\c:\program files\AutoTunnel GG\Interceptor.sys --> c:\program files\AutoTunnel GG\Interceptor.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [02/08/2005 5:10 PM 32512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mStart Page = about:blank
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41i7ssdx.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 18:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167695216-313869633-1967627850-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\]0n0アT0・k0O0a0e0Q0・*0B0j0_0・}YM0j0x^[0]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,26,01,00,00,01,00,00,00,02,00,00,00,80,00,
00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

[HKEY_USERS\S-1-5-21-3167695216-313869633-1967627850-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\・・ケ0\*乗Y6P}i關D*L*Hr]
"Order"=hex:08,00,00,00,02,00,00,00,08,01,00,00,01,00,00,00,02,00,00,00,7c,00,
00,00,00,00,00,00,6e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5c,00,32,\

[HKEY_USERS\S-1-5-21-3167695216-313869633-1967627850-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\U[・&ォ0ホ0 *^B0n0Zh0・ヨ0・ヨ0U[|0f0'`;m^]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,50,01,00,00,01,00,00,00,02,00,00,00,a2,00,
00,00,00,00,00,00,94,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,82,00,36,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-26 19:01
ComboFix-quarantined-files.txt 2009-07-26 23:01

Pre-Run: 18,193,813,504 bytes free
Post-Run: 18,103,070,720 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4
258 --- E O F --- 2009-07-15 19:06

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:31 PM

Posted 27 July 2009 - 02:58 AM

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe Posted Image to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
     C:\Program Files\Common Files\Microsoft Shared\dbyitxf.inf
     C:\Program Files\Common Files\System\dbyitxf.inf
     C:\recycler
     D:\recycler
     e:\recycler
     f:\recycler
     g:\recycler
     h:\recycler
     
     :Commands
     [purity]
     [emptytemp]
     [reboot]
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=

Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
Reply with copy of the Eset scan log
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 July 2009 - 11:14 AM

Here's the first log... running the 2nd scan now.

All processes killed
========== FILES ==========
C:\Program Files\Common Files\Microsoft Shared\dbyitxf.inf moved successfully.
C:\Program Files\Common Files\System\dbyitxf.inf moved successfully.
C:\RECYCLER\S-1-5-21-3167695216-313869633-1967627850-1007 moved successfully.
C:\RECYCLER moved successfully.
File\Folder D:\recycler not found.
File\Folder e:\recycler not found.
File\Folder f:\recycler not found.
File\Folder g:\recycler not found.
File\Folder h:\recycler not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: HP_Administrator
->Temp folder emptied: 231426 bytes
->Temporary Internet Files folder emptied: 327525 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 120726770 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\NV17763268.TMP folder deleted successfully.
C:\WINDOWS\NV19723876.TMP folder deleted successfully.
C:\WINDOWS\NV20722084.TMP folder deleted successfully.
C:\WINDOWS\NV38241780.TMP folder deleted successfully.
C:\WINDOWS\NV8521084.TMP folder deleted successfully.
%systemroot% .tmp files removed: 18186421 bytes
%systemroot%\System32 .tmp files removed: 156094317 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 281.97 mb


OTL by OldTimer - Version 3.0.10.3 log created on 07272009_112455

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

EDIT:
I'm running RootRepeal, and 2 files show up as locked to the Windows API. The file name is too long, and unable to delete it. It's past the 255 character limit, and I'm not sure how I can delete it.

As well as that, is there a way I can reduce my load time on Windows? It takes me like 3-5 minutes once I logon for things to operate smoothly.

Also, I can't boot into safe mode. It asks me to cancel loading sptd.sys and d347bus.sys. Would you kno how I could go about fixing this?

Edited by Severas, 27 July 2009 - 11:36 AM.


#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:31 PM

Posted 27 July 2009 - 11:44 AM

First, do not do any deletes or changes on your own. Same applies about running tools.
Do the ones I asked for, please.

Once we are fairly confident we have removed the malwares, I may offer advice on how to reduce program startup loads.
Keep in mind I am not online all day.
I'll be able to review your reports this evening.

If you have (already) a log from RootRepeal, see about copying & pasting a copy into a reply.
In the worst case, if you can't copy, do an attachment.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 July 2009 - 12:11 PM

I'm still running ESET Online Scan. The only tools I've ran so far are RootRepeal.

Here's the log.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/27 11:51
Program Version: Version 1.3.2.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB661E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP6462
Image Path: \Driver\PCI_PNP6462
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3A67000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwu.sys
Image Path: spwu.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Transformers - Revenge Of The Fallen (All Covers) (2009) (320kbps) (mrsjs)\Transformers - Revenge Of The Fallen (2009) (mrsjs)\00. Linkin Park - www.music.pbtone.com - Transformers - Revenge Of The Fallen - www.music.pbtone.com.m3u
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Transformers - Revenge Of The Fallen (All Covers) (2009) (320kbps) (mrsjs)\Transformers - Revenge Of The Fallen (2009) (mrsjs)\00. Linkin Park - www.music.pbtone.com - Transformers - Revenge Of The Fallen - www.music.pbtone.com.sfv
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\41i7ssdx.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\41i7ssdx.default\cache\_cache_001_
Status: Size mismatch (API: 138413, Raw: 136607)

Path: c:\documents and settings\hp_administrator\local settings\application data\mozilla\firefox\profiles\41i7ssdx.default\cache\_cache_002_
Status: Size mismatch (API: 136244, Raw: 134380)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spwu.sys" at address 0xb9ea80e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwu.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwu.sys" at address 0xb9ec7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spwu.sys" at address 0xb9ea80c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwu.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spwu.sys" at address 0xb9ec6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spwu.sys" at address 0xb9ec719a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a76f1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8993c1f8 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_CREATE]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_CLOSE]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_POWER]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: akka3y9rȅ瑎䥆헠㷨〈ᒸ, IRP_MJ_PNP]
Process: System Address: 0x8a35b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a67b500 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x8993f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a7741f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a7791f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a7751f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a33d1f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a33d1f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a33d1f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a33d1f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a33d1f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a33d1f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a713500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x899611f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_CREATE]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_CLOSE]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_READ]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_SHUTDOWN]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_CLEANUP]
Process: System Address: 0x898fc1f8 Address: 121

Object: Hidden Code [Driver: Cdfsࠅᰇ造襑㎐䂨㭨, IRP_MJ_PNP]
Process: System Address: 0x898fc1f8 Address: 121

==EOF==


Here's the ESET Online Scan Log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=3a6f22049948e442bec39043f230534f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-27 05:21:30
# local_time=2009-07-27 01:21:30 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 83 95 8198430000000
# scanned=296766
# found=9
# cleaned=9
# scan_time=5736
C:\Program Files\bootUP\ANEIMO2\reg.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\07272009_112455\Program Files\Common Files\Microsoft Shared\dbyitxf.inf INF/Autorun.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\07272009_112455\Program Files\Common Files\System\dbyitxf.inf INF/Autorun.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP18358\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP18358\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP186\A0040367.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP186\A0040368.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
L:\vcspaiu.exe probably a variant of Win32/Delf.NDF worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP186\A0040369.exe probably a variant of Win32/Delf.NDF worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Edited by Severas, 27 July 2009 - 12:25 PM.


#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:31 PM

Posted 27 July 2009 - 01:05 PM

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=

Try to see about restarting the system in Normal mode. If that is not useable, Reboot and restart in "Safe mode with Networking".

Close any other program that you opened. Do not run (start) anything else on this pc while it is running the scan.

Now then, Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner


Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or other tools. Kaspersky is a report only and does not remove files.

Next, do a new DDS run (as per original post)

Post back with copies of the Kaspersky.txt report.
the new DDS report-log
How is your system now ?
and tell me, what is your L drive on this system?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 July 2009 - 01:32 PM

Do I restart the computer in Safe mode? Or normal mode?

L: drive is my portal 250Gig flash drive. K: drive is my 500Gig external hard drive.

Edited by Severas, 27 July 2009 - 01:35 PM.


#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:31 PM

Posted 27 July 2009 - 02:47 PM

Restart in Normal mode and remain in normal mode, unless specifically stated otherwise.
Plug in your K & L drives so that they are scanned on the next scans, too.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 July 2009 - 02:48 PM

Okay, I've been in Normal mode the whole time.

The drives have been plugged in since being asked to do the Flash Disinfector.

Kaspersky Online Scan is still going and 8% done 23 minutes in.

Edited by Severas, 27 July 2009 - 02:49 PM.


#13 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 July 2009 - 07:04 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 27, 2009 21:14:04
Records in database: 2555466
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 296200
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 04:14:31


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

The selected area was scanned.




DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 22:17:40.81 on 27/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.2046.1230 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\D-Link\AirPremier AG DWL-AG132 Utility\AirPMCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunesKeys\iTunesKeys.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\HP_Administrator\Desktop\Virus Stuff\RootRepeal.exe
C:\Documents and Settings\HP_Administrator\Desktop\Virus Stuff\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mStart Page = about:blank
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [D-Link AirPremier AG DWL-AG132 Utility] c:\program files\d-link\airpremier ag dwl-ag132 utility\AirPMCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218151252906
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\41i7ssdx.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-18 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-18 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-18 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-18 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2005-3-8 377920]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2005-3-8 43392]
S3 NetHook_ControlCenter;ArtOfPing ControlCenter;\??\c:\program files\autotunnel gg\controlcenter.sys --> c:\program files\autotunnel gg\ControlCenter.sys [?]
S3 NetHook_Interceptor;ArtOfPing TDI Interceptor;\??\c:\program files\autotunnel gg\interceptor.sys --> c:\program files\autotunnel gg\Interceptor.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-27 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-27 22:01 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-27 22:01 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-07-27 21:45 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\DAEMON Tools Lite
2009-07-27 11:39 <DIR> --d----- c:\program files\ESET
2009-07-27 11:20 266,360 a------- c:\windows\system32\TweakUI.exe
2009-07-27 11:20 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-07-26 18:59 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-26 18:51 219,648 a------- c:\windows\PEV.exe
2009-07-26 18:51 <DIR> --ds---- C:\RenamedCF
2009-07-26 15:14 <DIR> --d----- C:\DCE
2009-07-22 22:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-07-21 15:24 <DIR> --d----- c:\program files\MKVtoolnix
2009-07-20 23:44 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-18 01:44 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-18 01:34 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-18 01:34 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-18 01:34 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-18 01:34 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-18 01:34 <DIR> --d----- c:\program files\AVG
2009-07-18 01:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-16 13:23 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-16 13:23 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-16 13:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 01:23 <DIR> --d----- c:\program files\Trend Micro
2009-07-15 17:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-15 16:13 <DIR> --d----- c:\documents and settings\hp_administrator\DoctorWeb
2009-07-15 15:11 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-07-15 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-15 14:27 <DIR> a-dshr-- C:\autorun.inf
2009-07-12 22:08 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-07-12 22:08 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-07-12 22:07 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-12 01:57 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-07-12 01:57 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-07-12 01:57 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-07-12 01:54 62,976 -------- c:\windows\system32\dllcache\cdrom.sys
2009-07-12 01:54 465,920 -------- c:\windows\system32\imapi2fs.dll
2009-07-12 01:54 465,920 -------- c:\windows\system32\dllcache\imapi2fs.dll
2009-07-12 01:54 317,952 -------- c:\windows\system32\imapi2.dll
2009-07-12 01:54 317,952 -------- c:\windows\system32\dllcache\imapi2.dll
2009-06-28 20:31 <DIR> --d----- c:\program files\Ventrilo

==================== Find3M ====================

2009-07-27 21:45 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2008-11-27 23:29 486 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-08-18 10:24 22,328 a------- c:\docume~1\hp_adm~1\applic~1\PnkBstrK.sys
2006-01-12 07:03 22 a--sh--- c:\windows\sminst\HPCD.SYS
2008-09-19 09:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 22:18:25.90 ===============

Edited by Severas, 27 July 2009 - 09:21 PM.


#14 Severas

Severas
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 27 July 2009 - 09:17 PM

I've fixed being able to boot into safe mode. A software just needed an update. :thumbup2:

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:31 PM

Posted 28 July 2009 - 01:14 PM

I've fixed being able to boot into safe mode. A software just needed an update. :thumbup2:

OK, but be clear and confirm you are running in Normal mode.
Also, just what software was updated?

I need for you to run one quick utility.
Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste into your reply the contents of checkup.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users