Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UAC/TDSS Rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 Carnage5

Carnage5

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 21 July 2009 - 07:47 PM

Hi All,

I have been fighting the UAC/TDSS rootkit for a few hours now to no avail. I've ran Malwarebytes, but that has not helped in the removal of the virus.

Please help as I have photos due in a few hours :thumbup2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:25 PM, on 7/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3518 bytes



Malwarebytes log

Malwarebytes' Anti-Malware 1.39
Database version: 2424
Windows 5.1.2600 Service Pack 2

7/21/2009 10:10:41 PM
mbam-log-2009-07-21 (22-10-30).txt

Scan type: Quick Scan
Objects scanned: 75851
Time elapsed: 1 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACyvtmocxuuw.dll (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\UACapfixdqbai.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UAChpynfmppdv.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACmlmcloumnq.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACqyoboxmaua.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACtniydenkel.dat (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\UACtowydsvcvj.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\drivers\UACdktettkdls.sys (Trojan.Agent) -> No action taken.


Thanks,
Evan

Edited by Carnage5, 21 July 2009 - 09:14 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:19 AM

Posted 22 July 2009 - 05:22 AM

Hello Carnage5 my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


1. We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

2. Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:19 PM

Posted 27 July 2009 - 06:18 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:19 PM

Posted 22 August 2009 - 01:06 PM

Topic re-opened per user's request.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Carnage5

Carnage5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 22 August 2009 - 01:11 PM

New MBAM Log (8/22/09)

Malwarebytes' Anti-Malware 1.40
Database version: 2644
Windows 5.1.2600 Service Pack 2

8/22/2009 2:06:35 PM
mbam-log-2009-08-22 (14-06-33).txt

Scan type: Quick Scan
Objects scanned: 84286
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACwwnpttajuc.dll (Rogue.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACwwnpttajuc.dll (Rogue.Agent) -> No action taken.
C:\WINDOWS\Temp\VRT4.tmp (Malware.Tool) -> No action taken.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.


Edited by Carnage5, 22 August 2009 - 01:14 PM.


#6 Carnage5

Carnage5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 22 August 2009 - 01:17 PM

OTL Scan

OTL logfile created on: 8/22/2009 2:15:30 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.28 Gb Available Physical Memory | 64.06% Memory free
3.85 Gb Paging File | 3.12 Gb Available in Paging File | 80.96% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 45.67 Gb Free Space | 59.56% Space Free | Partition Type: NTFS
Drive D: | 37.27 Gb Total Space | 5.58 Gb Free Space | 14.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 232.88 Gb Total Space | 0.19 Gb Free Space | 0.08% Space Free | Partition Type: NTFS
Drive G: | 465.76 Gb Total Space | 140.69 Gb Free Space | 30.21% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TSP
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/02/25 17:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2009/02/25 17:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/07/20 11:51:52 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2007/01/04 17:38:08 | 00,045,132 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/10/08 08:01:47 | 01,052,672 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/01/15 02:42:02 | 00,694,040 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMon.exe
PRC - [2008/01/14 19:24:46 | 00,303,616 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMonTaskbar.exe
PRC - [2009/07/13 14:02:56 | 14,074,656 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/03 13:36:10 | 01,295,632 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/08/22 13:57:51 | 00,743,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscsvc32.exe
PRC - [2009/07/30 07:26:38 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/22 14:08:07 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/25 17:27:41 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2009/02/25 15:15:00 | 00,614,400 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/08/13 17:29:46 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2004/10/08 08:01:47 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/07/20 11:51:52 | 00,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0 [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/01/04 17:38:08 | 00,045,132 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1993962763-1336601894-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1993962763-1336601894-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1993962763-1336601894-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-1993962763-1336601894-682003330-1003\S-1-5-21-1993962763-1336601894-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://forums.nasioc.com/forums/forumdisplay.php?f=24"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: exif_viewer@mozilla.doslash.org:1.51
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/15 03:03:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/08 10:31:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/17 20:51:36 | 00,000,000 | ---D | M]

[2009/08/08 10:31:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions
[2009/08/08 10:31:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/17 20:22:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\qjv33rf6.default\extensions
[2009/08/12 20:39:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\qjv33rf6.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/08/12 20:39:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\qjv33rf6.default\extensions\exif_viewer@mozilla.doslash.org
[2009/08/08 10:00:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/08 10:00:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/30 07:26:53 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/30 07:26:54 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/30 07:26:55 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/08/12 20:00:33 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/07/30 03:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 03:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 03:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 03:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 03:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 03:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 03:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (755 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 jL.chura.pl
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 microsoft
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [RegistryWm] C:\WINDOWS\System32\qtwm.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UltraMon.lnk = C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1993962763-1336601894-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1249739891254 (WUWebControl Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/08 09:29:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##carnserv#Pron3\Shell - "" = AutoRun
O33 - MountPoints2\##carnserv#Pron3\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##carnserv#Pron3\Shell\AutoRun\command - "" = Z:\wd_windows_tools\WDSetup.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[32 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/08/22 14:08:06 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/08/22 13:57:51 | 00,257,536 | ---- | C] () -- C:\WINDOWS\System32\resdll.dll
[2009/08/20 08:59:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/08/20 08:59:04 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\515.exe
[2009/08/20 08:17:10 | 00,002,538 | ---- | C] () -- C:\a.jpg
[2009/08/20 08:14:46 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\qtwm.exe
[2009/08/18 18:05:32 | 00,000,041 | ---- | C] () -- C:\WINDOWS\ars-dat0169.conf
[2009/08/18 17:10:38 | 00,001,839 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows Live Messenger .lnk
[2009/08/17 21:00:38 | 00,002,521 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2007.lnk
[2009/08/17 20:51:35 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2009/08/17 20:51:15 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2009/08/17 20:51:15 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2009/08/17 20:50:49 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2009/08/17 20:49:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2009/08/17 20:48:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft Help
[2009/08/17 20:48:36 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2009/08/17 20:48:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2009/08/17 20:48:18 | 00,000,000 | RH-D | C] -- C:\MSOCache
[2009/08/17 20:43:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Realtime Soft
[2009/08/17 20:43:43 | 00,002,299 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UltraMon.lnk
[2009/08/17 20:43:43 | 00,000,000 | ---D | C] -- C:\Program Files\UltraMon
[2009/08/17 20:43:43 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Realtime Soft
[2009/08/17 20:43:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Realtime Soft
[2009/08/17 20:41:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Received Files
[2009/08/17 20:38:00 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/08/17 20:37:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/08/17 20:37:46 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/08/17 20:37:27 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/08/17 20:30:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/08/16 08:29:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2009/08/15 03:02:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/08/14 03:01:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2009/08/14 03:00:34 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2009/08/13 17:45:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/08/13 17:45:11 | 00,000,856 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Adobe Photoshop CS4.lnk
[2009/08/13 17:35:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\acccore
[2009/08/13 17:35:35 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player
[2009/08/13 17:35:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP
[2009/08/13 17:35:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AOL
[2009/08/13 17:33:25 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2009/08/13 17:29:46 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2009/08/13 17:28:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2009/08/12 21:05:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2009/08/12 21:04:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Nero
[2009/08/12 21:03:26 | 00,002,327 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart Essentials.lnk
[2009/08/12 21:02:33 | 00,000,000 | ---D | C] -- C:\Program Files\Nero
[2009/08/12 21:02:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2009/08/12 21:02:02 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2009/08/12 20:11:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Adobe CS4
[2009/08/12 20:04:58 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/08/12 20:04:46 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/08/12 20:04:43 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/08/12 20:01:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Apple Computer
[2009/08/12 20:00:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/12 20:00:37 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/08/12 20:00:19 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/08/12 20:00:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/08/12 20:00:13 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/08/12 20:00:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Apple
[2009/08/12 20:00:11 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/08/12 20:00:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/08/12 19:59:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2009/08/12 19:59:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/08/12 19:55:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Apple Computer
[2009/08/12 19:52:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
[2009/08/12 19:52:32 | 00,003,814 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Server.RDP
[2009/08/12 19:52:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2009/08/12 19:52:09 | 00,001,834 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Photoshop Lightroom 2.4.lnk
[2009/08/12 19:52:06 | 00,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2009/08/12 19:51:53 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2009/08/12 19:51:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/08/12 19:47:45 | 00,000,894 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Google Talk.lnk
[2009/08/12 19:46:28 | 00,044,144 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/12 19:46:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\ATI
[2009/08/12 19:46:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ATI
[2009/08/12 19:46:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI
[2009/08/12 18:44:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/08/12 18:41:58 | 00,000,000 | ---D | C] -- C:\Program Files\ATI
[2009/08/12 18:41:09 | 00,614,400 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/08/12 18:40:53 | 00,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2009/08/12 18:40:24 | 00,000,000 | ---D | C] -- C:\ATI
[2009/08/12 18:40:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2009/08/12 18:30:44 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/08/12 18:30:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/08/12 18:30:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2009/08/12 18:30:38 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/08/12 18:29:49 | 00,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2009/08/12 18:29:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2009/08/12 18:28:25 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/08/12 18:25:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads

========== Files - Modified Within 14 Days ==========

[32 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/08/22 14:08:07 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/08/22 13:59:22 | 00,625,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2009/08/22 13:59:22 | 00,625,952 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntfs.sys
[2009/08/22 13:57:51 | 00,257,536 | ---- | M] () -- C:\WINDOWS\System32\resdll.dll
[2009/08/22 13:57:27 | 00,286,720 | ---- | M] () -- C:\WINDOWS\System32\qtwm.exe
[2009/08/22 13:52:39 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/08/22 13:51:54 | 00,000,552 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/22 13:51:54 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/22 13:51:54 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/08/22 13:51:24 | 00,002,299 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UltraMon.lnk
[2009/08/22 13:48:58 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/22 13:48:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/22 13:48:56 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/20 09:16:45 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000008-00001102-00000002-80641102}.rfx
[2009/08/20 09:16:45 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000008-00001102-00000002-80641102}.rfx
[2009/08/20 09:16:45 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000002-80641102}.rfx
[2009/08/20 09:16:45 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000008-00001102-00000002-80641102}.rfx
[2009/08/20 09:16:45 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/08/20 09:16:45 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/08/20 09:16:45 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000008-00001102-00000002-80641102}.dat
[2009/08/20 09:16:45 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000008-00001102-00000002-80641102}.dat
[2009/08/20 09:15:54 | 05,356,992 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/08/20 08:58:53 | 00,192,512 | ---- | M] () -- C:\WINDOWS\System32\515.exe
[2009/08/20 08:49:19 | 00,002,538 | ---- | M] () -- C:\a.jpg
[2009/08/18 23:11:49 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/18 18:05:32 | 00,000,041 | ---- | M] () -- C:\WINDOWS\ars-dat0169.conf
[2009/08/18 17:31:29 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2007.lnk
[2009/08/18 17:10:38 | 00,001,839 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Windows Live Messenger .lnk
[2009/08/18 17:10:13 | 03,374,149 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000008-00001102-00000002-80641102}.CDF
[2009/08/18 17:10:13 | 03,374,149 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000008-00001102-00000002-80641102}.BAK
[2009/08/18 07:21:32 | 00,044,144 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/18 07:21:08 | 02,068,752 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/17 21:20:33 | 00,000,125 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/08/17 21:09:26 | 00,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/17 21:09:26 | 00,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/17 21:09:24 | 00,509,574 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/17 20:56:38 | 00,005,120 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/15 14:53:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/08/13 17:45:11 | 00,000,856 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Adobe Photoshop CS4.lnk
[2009/08/12 21:03:26 | 00,002,327 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nero StartSmart Essentials.lnk
[2009/08/12 20:20:54 | 00,003,814 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Server.RDP
[2009/08/12 19:52:09 | 00,001,834 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Photoshop Lightroom 2.4.lnk
[2009/08/12 19:52:06 | 00,000,000 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2009/08/12 19:47:45 | 00,000,894 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Talk.lnk
[2009/08/12 18:44:56 | 00,000,000 | ---- | M] () -- C:\WINDOWS\ativpsrm.bin

========== LOP Check ==========

[2009/08/17 20:48:36 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/08/12 20:01:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/08 09:51:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/08/12 19:46:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI
[2009/08/12 21:05:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2009/08/13 17:45:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/08/08 09:51:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2009/08/08 09:51:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/07 16:15:27 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Default User\Application Data
[2009/08/08 09:42:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data
[2009/08/08 09:31:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data
[2009/08/17 20:43:51 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data
[2009/08/13 17:35:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2009/08/12 19:46:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ATI
[2009/08/15 14:53:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/10/08 08:01:47 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/22 13:48:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 72 bytes -> C:\WINDOWS:0CC51226DB2A1E26
< End of report >



#7 Carnage5

Carnage5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 22 August 2009 - 01:20 PM

GMER Log

GMER 1.0.15.15077 [os08j2jc.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-22 14:19:33
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 88058DE8 ZwEnumerateKey
Code 88190BB8 ZwFlushInstructionCache
Code 88058E1E IofCallDriver
Code 869C06E6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs [89D09E37] Ntfs.sys[.reloc]
Device \FileSystem\Ntfs \Ntfs [89CE6EE4] Ntfs.sys[.reloc]
Device \Driver\NDIS \Device\Ndis [89C9F982] NDIS.sys[.reloc]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACkosbpyreex.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:19 AM

Posted 24 August 2009 - 07:09 AM

Hello again Carnage5,

Your log have signs of Virut and we need to confirm it. Please click here --> VirSCAN.org

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Click the browse button and navigate to the files listed below in bold, then click Upload. You will only be able to have one file scanned at a time.

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe

Please post back the results of the scan in your next post.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Carnage5

Carnage5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 24 August 2009 - 04:59 PM

Explorer.exe

Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20090824170206 2009-08-24
Virus.Win32.Virut.q!IK
0.458
AhnLab V3 2009.08.25.00 2009.08.25 2009-08-25
Win32/Virut.E
0.776
AntiVir 8.2.1.3 7.1.5.156 2009-08-24
W32/Virut.Gen
0.387
Antiy 2.0.18 20090824.2730530 2009-08-24
-
0.121
Arcavir 2009 200908241822 2009-08-24
Heur.W32
0.081
Authentium 5.1.1 200908241920 2009-08-24
W32/Virut.AI!Generic (Possible)
1.196
AVAST! 4.7.4 090824-0 2009-08-24
-
0.054
AVG 8.5.288 270.13.65/2324 2009-08-24
Win32/Virut
0.384
BitDefender 7.81008.3912851 7.27325 2009-08-25
Win32.Virtob.Gen.12
3.353
CA (VET) 9.0.0.143 31.6.6697 2009-08-25
Win32/Virut.17408 virus.
5.579
ClamAV 0.95.2 9732 2009-08-24
-
0.162
Comodo 3.10 2084 2009-08-24
-
1.183
CP Secure 1.1.0.715 2009.08.23 2009-08-23
-
0.112
Dr.Web 4.44.0.9170 2009.08.24 2009-08-24
Win32.Virut.56
8.750
F-Prot 4.4.4.56 20090824 2009-08-24
W32/Virut.AI!Generic
1.182
F-Secure 7.02.73807 2009.08.24.10 2009-08-24
Virus.Win32.Virut.ce [AVP]
0.117
Fortinet 2.81-3.120 10.753 2009-08-24
-
0.445
GData 19.7358/19.450 20090824 2009-08-24
Virus.Win32.Virut.ce [Engine:A]
4.872
Ikarus T3.1.01.68 2009.08.24.73346 2009-08-24
Virus.Win32.Virut.q
3.675
JiangMin 11.0.800 2009.08.23 2009-08-23
Win32/Virut.bn
3.526
Kaspersky 5.5.10 2009.08.24 2009-08-24
Virus.Win32.Virut.ce
0.062
KingSoft 2009.2.5.15 2009.8.24.22 2009-08-24
Win32.Virut.ce.53248
0.508
McAfee 5.3.00 5719 2009-08-24
W32/Virut.n.gen
3.144
Microsoft 1.4903 2009.08.24 2009-08-24
Virus:Win32/Virut.BM
5.939
Norman 6.01.09 6.01.00 2009-08-24
W32/Virut.CP
4.007
nProtect 20090823.01 5121977 2009-08-23
Virus/W32.Virut.F
6.972
Panda 9.05.01 2009.08.24 2009-08-24
W32/Sality.AO
1.800
Quick Heal 10.00 2009.08.24 2009-08-24
W32.Virut.G
1.368
Rising 20.0 21.44.04.00 2009-08-24
Win32.Virut.bm
1.148
Sophos 2.89.1 4.44 2009-08-25
W32/Scribble-B
3.276
Sunbelt 5352 5352 2009-08-24
Virus.Win32.Virut.ce (v)
1.822
Symantec 1.3.0.24 20090824.002 2009-08-24
W32.Virut.CF
0.124
The Hacker 6.3.4.3 v00386 2009-08-22
-
0.713
Trend Micro 8.700-1004 6.390.10 2009-08-24
PE_VIRUX.J-1
0.035
VBA32 3.12.10.9 20090823.1723 2009-08-23
Virus.Win32.Virut.X5
1.893
ViRobot 20090824 2009.08.24 2009-08-24
-
0.410
VirusBuster 4.5.11.10 10.112.15/1802658 2009-08-24
Win32.Virut.Y.Gen
2.828


lsass.exe=Clean

services.exe=Clean

lwinlogon.exe

F-Prot 4.4.4.56 20090824 2009-08-24 Possible W32/Swizzor-based.2!Maximus 2.163
Authentium 5.1.1 200908241920 2009-08-24 W32/Swizzor-based.2!Maximus (Heuristic)


svchost.exe=Clean

Edited by Carnage5, 24 August 2009 - 05:12 PM.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:19 AM

Posted 25 August 2009 - 04:01 AM

Hello Carnage,


I'm afraid I have very bad news. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.


I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.
Keep in mind, though, that with a Virut infection, there is always a chance of backed up data reinfecting your system! Do NOT backup any applications/installers and do NOT backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script (.php, .asp, .html, .htm, .xml) files. Also avoid backing up compressed files (.zip, .cab, .rar) that have .exe or .scr files inside them as Virut can penetrate and infect these files within compressed files too.
NOTE: If you have to backup files, do so only for MS Office documents & any non-executable files. Burn them to CD/DVD. Do NOT copy files from the infected machine to your flash drive or external hard drive as they may become compromised in the process. You risk infecting the other machine!

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use these websites and read for instructions how to format and reinstall Windows:Sorry to be the bearer of bad news, but this really is your only option at this point. :) Should you have any questions, please feel free to ask.



~Sempai

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Carnage5

Carnage5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 25 August 2009 - 06:56 AM

Question,

I have Mulitple HDD's where I store my music, photos, etc...do I need to worry about those files being infected, or just everything on C:\? This is the 8th time I've wiped my pc in 2 months, and I have no idea where the infection is coming from, so this is why I ask.

Edited by Carnage5, 25 August 2009 - 06:57 AM.


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:19 AM

Posted 25 August 2009 - 07:44 AM

Hi,

I have Mulitple HDD's where I store my music, photos, etc...do I need to worry about those files being infected, or just everything on C:\? This is the 8th time I've wiped my pc in 2 months, and I have no idea where the infection is coming from, so this is why I ask.

I think your other HD/Partition is also infected. It will be wise to wipe them as well.

You can back-up music, photos, and any other documents that are important to you.
Do NOT backup any applications/installers and do NOT backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script (.php, .asp, .html, .htm, .xml) files. Also avoid backing up compressed files (.zip, .cab, .rar) that have .exe or .scr files inside them as Virut can penetrate and infect these files within compressed files too.


NOTE: If you have to backup files, do so only for MS Office documents & any non-executable files. Burn them to CD/DVD. Do NOT copy files from the infected machine to your flash drive or external hard drive as they may become compromised in the process. You risk infecting the other machine!

After you reinstall windows, make sure you have installed an Anti virus program then scan all your back-up before using or saving them again.


How to prevent Malware: by miekiemoes


~Semp :thumbup2:

Edited by sempai, 25 August 2009 - 07:46 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:19 PM

Posted 27 August 2009 - 07:38 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users