Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit/bootsector virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Irene_

Irene_

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:TX
  • Local time:05:16 PM

Posted 10 November 2009 - 08:15 AM

Here are my logs. I would post a link to my previous thread but I don't actually know how to do that. It is titled "Pretty sure I'm infected but no clue with what" In the "Am I infected" forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/264631/im-pretty-sure-im-infected-but-no-clue-with-what/ ~ OB Thank you very much to whomever takes on my case.


DDS (Ver_09-10-26.01) - NTFSX64 NETWORK
Run by Irene at 5:48:29.04 on Tue 11/10/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3036.2535 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bleepingcomputer.com/
uRun: [SUPERAntiSpyware] c:\program files\SUPERAntiSpyware.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\irene\appdata\roaming\micros~1\windows\startm~1\programs\startup\is-4pevp.lnk - c:\users\virus removal tool1\is-4pevp\startup.exe
StartupFolder: c:\users\irene\appdata\roaming\micros~1\windows\startm~1\programs\startup\is-q8bbu.lnk - c:\users\virus removal tool\is-q8bbu\startup.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Notify: !SASWinLogon - c:\program files (x86)\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\SASSEH.DLL
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

============= SERVICES / DRIVERS ===============

S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2008-1-20 93696]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\3553.tmp [2009-11-5 6144]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]

============== File Associations ===============

inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-11-08 19:03:54 65536 --sha-w- c:\users\irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TM.blf
2009-11-08 19:03:54 524288 --sha-w- c:\users\irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TMContainer00000000000000000002.regtrans-ms
2009-11-08 19:03:54 524288 --sha-w- c:\users\irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TMContainer00000000000000000001.regtrans-ms
2009-11-05 20:07:34 0 d-----w- c:\programdata\is-4PEVP
2009-11-05 20:03:11 0 d-----w- c:\programdata\is-Q8BBU
2009-11-05 19:11:11 6144 ------w- c:\windows\system32\3553.tmp
2009-11-05 19:10:25 6144 ------w- c:\windows\system32\7F5C.tmp
2009-11-05 19:06:14 0 d-----w- c:\program files\Sophos
2009-11-05 18:04:27 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-05 18:02:19 0 d-----w- c:\program files (x86)\Plugins
2009-11-05 18:02:19 0 d-----w- c:\program files (x86)\Language
2009-11-05 18:02:18 0 d-----w- c:\users\irene\appdata\roaming\SUPERAntiSpyware.com
2009-11-05 17:59:08 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard
2009-11-05 16:21:43 0 d-----w- c:\users\irene\appdata\roaming\Malwarebytes
2009-11-05 16:21:39 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 16:21:39 0 d-----w- c:\programdata\Malwarebytes
2009-11-05 16:21:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 15:27:33 0 d-sha-r- C:\autorun.inf
2009-11-04 18:18:58 67584 ----a-w- c:\windows\system32\RtNicProp64.dll
2009-11-04 18:18:58 197120 ----a-w- c:\windows\system32\drivers\Rtlh64.sys
2009-11-04 18:18:58 0 d-----w- c:\program files (x86)\Realtek
2009-11-04 18:14:04 53248 ----a-w- c:\windows\syswow64\CSVer.dll
2009-11-04 18:13:51 0 d-----w- C:\Intel
2009-11-04 18:13:49 0 d-----w- C:\dell
2009-10-29 23:34:16 0 d-----w- c:\windows\Panther
2009-10-29 23:34:03 8192 --s-a-r- C:\BOOTSECT.BAK
2009-10-29 23:34:02 333203 --sha-r- C:\bootmgr
2009-10-29 23:34:02 0 d-sh--w- C:\Boot
2009-10-29 23:33:48 24 ---ha-r- c:\windows\dell_version
2009-10-29 23:33:48 0 d-----w- c:\windows\system32\OEM
2009-10-29 22:07:16 0 d-----w- C:\New Folder
2009-10-29 21:01:16 0 d-----w- c:\windows\syswow64\vmm32
2009-10-29 21:01:16 0 d-----w- c:\program files (x86)\Dell
2009-10-29 21:00:45 0 d-sh--w- c:\windows\Installer
2009-10-13 04:24:56 7408 ----a-r- c:\program files (x86)\SASENUM.SYS
2009-10-13 04:24:54 9968 ----a-w- c:\program files (x86)\sasdifsv.sys
2009-10-13 04:24:52 74480 ----a-w- c:\program files (x86)\SASKUTIL.SYS
2009-10-13 04:24:50 2000112 ----a-w- c:\program files\SUPERAntiSpyware.exe
2009-10-13 04:24:48 158960 ----a-w- c:\program files (x86)\SSUpdate.exe

==================== Find3M ====================

2009-11-04 18:19:11 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-04 18:19:11 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-04 18:19:07 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-13 04:17:08 21354727 ----a-w- c:\program files (x86)\PROCESSLIST.DB
2009-10-13 04:16:42 1242971 ----a-w- c:\program files (x86)\PROCESSLISTRELATED.DB
2009-09-03 22:21:42 548352 ----a-w- c:\program files (x86)\SASWINLO.dll
2008-11-03 20:49:26 47912 ----a-w- c:\program files (x86)\RUNSAS.EXE
2008-07-28 18:10:52 411136 ----a-w- c:\program files (x86)\SASREPAIRS.STG
2008-05-13 17:13:36 77824 ----a-w- c:\program files (x86)\SASSEH.DLL
2008-03-12 18:29:50 24576 ----a-r- c:\program files (x86)\SASINST.EXE
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2008-01-21 03:04:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2007-11-27 20:12:26 1088725 ----a-w- c:\program files (x86)\SUPERAntiSpyware.chm
2007-10-02 21:08:48 122168 ----a-r- c:\program files (x86)\BootSafe.exe
2007-02-27 19:39:26 61440 ----a-w- c:\program files (x86)\SASCTXMN.DLL
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-09-19 22:55:38 360448 ----a-r- c:\program files (x86)\deupx.dll
2004-05-20 20:28:44 2048 ----a-w- c:\program files (x86)\detect.wav
2004-05-07 22:31:40 348160 ----a-w- c:\program files (x86)\msvcr71.dll
2008-01-21 03:20:34 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-01-21 03:20:34 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-01-21 03:20:34 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 5:49:13.61 ===============

Attached Files


Edited by Orange Blossom, 10 November 2009 - 06:27 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:16 AM

Posted 16 November 2009 - 09:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Irene_

Irene_
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:TX
  • Local time:05:16 PM

Posted 18 November 2009 - 07:48 AM

Hello Myrti thank you very much for your response here are my logs:







OTL logfile created on: 11/18/2009 5:36:33 AM - Run 1
OTL by OldTimer - Version 3.1.6.0 Folder = C:\Users
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.30 Gb Available Physical Memory | 77.50% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149.01 Gb Total Space | 125.44 Gb Free Space | 84.18% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IANDM
Current User Name: Irene
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/18 05:32:19 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Users\OTL.exe
PRC - [2009/11/02 20:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe


========== Modules (SafeList) ==========

MOD - [2009/11/18 05:32:19 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Users\OTL.exe
MOD - [2008/01/20 19:52:09 | 00,142,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\spp.dll
MOD - [2008/01/20 19:52:09 | 00,040,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\srclient.dll
MOD - [2008/01/20 19:50:01 | 00,183,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\xmllite.dll
MOD - [2008/01/20 19:49:43 | 01,076,224 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\vssapi.dll
MOD - [2008/01/20 19:49:43 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\vsstrace.dll
MOD - [2008/01/20 19:49:32 | 00,079,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\authz.dll
MOD - [2008/01/20 19:49:14 | 00,071,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\atl.dll
MOD - [2008/01/20 19:48:06 | 01,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2008/01/20 19:52:15 | 01,216,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV:64bit: - [2008/01/20 19:47:32 | 00,383,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/20 19:51:36 | 00,344,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr)
SRV - [2008/01/20 19:51:36 | 00,153,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched)
SRV - [2008/01/20 19:50:58 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/01/20 19:50:38 | 00,093,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2006/11/02 08:03:48 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/11/02 06:34:14 | 00,000,000 | ---D | M] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2006/11/01 23:35:15 | 00,060,994 | ---- | M] () -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2006/11/01 23:35:15 | 00,055,846 | ---- | M] () -- C:\Windows\SysWOW64\wbem\vss.mof -- (VSS)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2009/06/18 12:54:10 | 00,006,144 | ---- | M] () -- C:\Windows\SysNative\935A.tmp -- (MEMSWEEP2)
DRV:64bit: - [2009/02/26 19:56:08 | 00,197,120 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/03/22 14:42:20 | 00,129,384 | ---- | M] () -- C:\Windows\SysNative\drivers\keyscrambler.sys -- (KeyScrambler)
DRV:64bit: - [2008/01/20 19:46:51 | 00,017,792 | ---- | M] () -- C:\Windows\SysNative\DRIVERS\CmBatt.sys -- (CmBatt)
DRV:64bit: - [2006/11/01 22:28:10 | 00,273,920 | ---- | M] () -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService)
DRV - [2009/06/18 12:55:41 | 00,018,816 | ---- | M] (Sophos Plc) -- C:\Windows\SysWOW64\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2008/07/08 13:54:06 | 00,200,720 | ---- | M] (Kaspersky Lab) -- C:\Windows\SysWOW64\drivers\90977631.sys -- (is-Q8BBUdrv)
DRV - [2008/07/08 13:54:06 | 00,200,720 | ---- | M] (Kaspersky Lab) -- C:\Windows\SysWOW64\drivers\16057847.sys -- (is-4PEVPdrv)
DRV - [2006/09/18 14:36:40 | 00,003,066 | ---- | M] () -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2006/09/18 14:35:23 | 00,001,088 | ---- | M] () -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157






IE - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
IE - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\S-1-5-21-1088018028-2647874452-1959646544-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://throughtheflame.org"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {6614d11d-d21d-b211-ae23-815234e1ebb5}:1.0.21
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.0.1
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: keyscrambler@qfx.software.corporation:2.1.0.1
FF - prefs.js..extensions.enabledItems: {cf47767d-5f3a-4e32-9fce-5d79565c9702}:1.0.6
FF - prefs.js..extensions.enabledItems: {c1970c0d-dbe6-4d91-804f-c9c0de643a57}:1.2.4
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.14
FF - prefs.js..extensions.enabledItems: redirectcleaner@example.net:1.1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/13 23:50:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/13 23:50:00 | 00,000,000 | ---D | M]

[2009/11/13 23:50:14 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Extensions
[2009/11/13 23:50:14 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/18 05:24:36 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions
[2009/11/14 20:26:06 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
[2009/11/14 23:28:42 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/11/17 15:47:07 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/11/16 17:37:03 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\{c1970c0d-dbe6-4d91-804f-c9c0de643a57}
[2009/11/14 00:31:14 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
[2009/11/14 15:27:00 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/14 02:02:30 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\firefox@ghostery.com
[2009/11/14 20:38:25 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\keyscrambler@qfx.software.corporation
[2009/11/16 17:20:07 | 00,000,000 | ---D | M] -- C:\Users\Irene\AppData\Roaming\mozilla\Firefox\Profiles\u8qqoaib.default\extensions\redirectcleaner@example.net

Hosts file not found
O2:64bit: - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\x64\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-1088018028-2647874452-1959646544-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9:64bit: - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\x64\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.93.41.127 24.93.41.128
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/05 08:27:33 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{3afb7fc0-c4db-11de-b68b-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{3afb7fc0-c4db-11de-b68b-806e6f6e6963}\Shell\AutoRun\command - "" = D:\autoRcd.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\autoRcd.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\SysWow64\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
64bit: O35 - comfile [open] -- "%1" %* File not found
64bit: O35 - exefile [open] -- "%1" %* File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/18 05:32:18 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Users\OTL.exe
[2009/11/14 20:43:29 | 00,000,000 | ---D | C] -- C:\Program Files\KeyScrambler
[2009/11/13 23:50:06 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Roaming\Mozilla
[2009/11/13 23:50:06 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Local\Mozilla
[2009/11/13 23:49:59 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/11/12 11:58:37 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/11/11 23:04:24 | 00,000,000 | ---D | C] -- C:\Windows\pss
[2009/11/11 16:06:35 | 00,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\SysWow64\SAVRKBootTasks.sys
[2009/11/05 13:07:22 | 00,200,720 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysWow64\drivers\16057847.sys
[2009/11/05 13:02:52 | 00,200,720 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysWow64\drivers\90977631.sys
[2009/11/05 11:02:18 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Roaming\SUPERAntiSpyware.com
[2009/11/05 10:55:49 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Users\AC.exe
[2009/11/05 09:21:43 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Roaming\Malwarebytes
[2009/11/05 09:21:40 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2009/11/05 09:21:39 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/11/05 09:21:39 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/11/05 09:21:39 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/05 09:14:48 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\ztoy.exe
[2009/11/05 08:27:33 | 00,000,000 | RHSD | C] -- C:\autorun.inf
[2009/11/04 11:18:58 | 00,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2009/11/04 11:18:58 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Realtek
[2009/11/04 11:14:04 | 00,053,248 | ---- | C] (Windows XP Bundled build C-Centric Single User) -- C:\Windows\SysWow64\CSVer.dll
[2009/11/04 11:14:04 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Intel
[2009/11/04 11:13:51 | 00,000,000 | ---D | C] -- C:\Intel
[2009/11/04 11:13:49 | 00,000,000 | ---D | C] -- C:\dell
[2009/10/29 16:34:16 | 00,000,000 | ---D | C] -- C:\Windows\Panther
[2009/10/29 16:34:02 | 00,000,000 | -HSD | C] -- C:\Boot
[2009/10/29 16:33:48 | 00,000,000 | ---D | C] -- C:\Windows\SysNative\OEM
[2009/10/29 15:55:20 | 00,000,000 | ---D | C] -- C:\Windows\Debug
[2009/10/29 15:38:03 | 00,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2009/10/29 15:34:50 | 00,000,000 | ---D | C] -- C:\Windows\Prefetch
[2009/10/29 15:34:38 | 00,000,000 | -HSD | C] -- C:\System Volume Information
[2009/10/29 14:01:16 | 00,000,000 | ---D | C] -- C:\Windows\SysWow64\vmm32
[2009/10/29 14:01:16 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Dell
[2009/10/29 14:00:45 | 00,000,000 | -HSD | C] -- C:\Windows\Installer
[2009/10/29 13:57:03 | 00,000,000 | R--D | C] -- C:\Users\Irene\Searches
[2009/10/29 13:56:54 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Roaming\Identities
[2009/10/29 13:56:51 | 00,000,000 | R--D | C] -- C:\Users\Irene\Contacts
[2009/10/29 13:56:49 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Local\VirtualStore
[2009/10/29 13:56:41 | 00,000,000 | --SD | C] -- C:\Users\Irene\AppData\Roaming\Microsoft
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Videos
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Saved Games
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Pictures
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Music
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Links
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Favorites
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Downloads
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Documents
[2009/10/29 13:56:41 | 00,000,000 | R--D | C] -- C:\Users\Irene\Desktop
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Templates
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Start Menu
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\SendTo
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Recent
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\PrintHood
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\NetHood
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Documents\My Videos
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Documents\My Pictures
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Documents\My Music
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\My Documents
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Local Settings
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Documents\Cookies
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\Application Data
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\AppData\Local\Temporary Internet Files
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\AppData\Local\History
[2009/10/29 13:56:41 | 00,000,000 | -HSD | C] -- C:\Users\Irene\AppData\Local\Application Data
[2009/10/29 13:56:41 | 00,000,000 | -H-D | C] -- C:\Users\Irene\AppData
[2009/10/29 13:56:41 | 00,000,000 | ---D | C] -- C:\Users\Irene
[2009/10/29 13:56:41 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Roaming\Media Center Programs
[2009/10/29 13:56:41 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Local\Temp
[2009/10/29 13:56:41 | 00,000,000 | ---D | C] -- C:\Users\Irene\AppData\Local\Microsoft
[14 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/18 05:36:08 | 00,786,432 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT
[2009/11/18 05:34:03 | 00,000,732 | ---- | M] () -- C:\Users\Irene\AppData\Local\d3d9caps64.dat
[2009/11/18 05:33:45 | 00,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/11/18 05:33:45 | 00,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/11/18 05:33:42 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/11/18 05:33:38 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/11/18 05:32:19 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Users\OTL.exe
[2009/11/18 05:22:40 | 00,646,100 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2009/11/18 05:22:40 | 00,559,402 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2009/11/18 05:22:40 | 00,092,986 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2009/11/13 23:50:01 | 00,001,680 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/11/12 23:53:33 | 00,524,288 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TMContainer00000000000000000001.regtrans-ms
[2009/11/12 23:53:33 | 00,065,536 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TM.blf
[2009/11/10 05:47:54 | 00,523,776 | ---- | M] () -- C:\Users\dds.scr
[2009/11/08 12:03:54 | 00,524,288 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TMContainer00000000000000000002.regtrans-ms
[2009/11/06 17:45:44 | 00,524,288 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms
[2009/11/06 17:45:44 | 00,065,536 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf
[2009/11/05 10:55:50 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Users\AC.exe
[2009/11/05 09:25:10 | 00,229,664 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2009/11/05 09:14:48 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\ztoy.exe
[2009/11/05 08:25:49 | 00,132,597 | ---- | M] () -- C:\Users\flash.exe
[2009/10/29 16:34:03 | 00,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/10/29 15:39:02 | 00,047,092 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2009/10/29 13:57:11 | 00,048,600 | ---- | M] () -- C:\Users\Irene\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/10/29 13:56:41 | 00,524,288 | -HS- | M] () -- C:\Users\Irene\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000002.regtrans-ms
[2009/10/29 13:56:41 | 00,000,020 | -HS- | M] () -- C:\Users\Irene\ntuser.ini
[14 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/14 20:43:29 | 00,129,384 | ---- | C] () -- C:\Windows\SysNative\drivers\keyscrambler.sys
[2009/11/13 23:50:01 | 00,001,680 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/11/10 05:47:50 | 00,523,776 | ---- | C] () -- C:\Users\dds.scr
[2009/11/08 12:03:54 | 00,524,288 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TMContainer00000000000000000002.regtrans-ms
[2009/11/08 12:03:54 | 00,524,288 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TMContainer00000000000000000001.regtrans-ms
[2009/11/08 12:03:54 | 00,065,536 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT{e40a854f-cc97-11de-9a28-00256452db94}.TM.blf
[2009/11/05 09:21:39 | 00,022,104 | ---- | C] () -- C:\Windows\SysNative\drivers\mbam.sys
[2009/11/05 08:25:48 | 00,132,597 | ---- | C] () -- C:\Users\flash.exe
[2009/11/04 11:18:58 | 00,197,120 | ---- | C] () -- C:\Windows\SysNative\drivers\Rtlh64.sys
[2009/11/04 11:18:58 | 00,067,584 | ---- | C] () -- C:\Windows\SysNative\RtNicProp64.dll
[2009/10/29 16:34:03 | 00,008,192 | R-S- | C] () -- C:\BOOTSECT.BAK
[2009/10/29 16:34:02 | 00,333,203 | RHS- | C] () -- C:\bootmgr
[2009/10/29 16:33:48 | 00,000,024 | RH-- | C] () -- C:\Windows\dell_version
[2009/10/29 13:57:11 | 00,048,600 | ---- | C] () -- C:\Users\Irene\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/10/29 13:56:45 | 00,000,732 | ---- | C] () -- C:\Users\Irene\AppData\Local\d3d9caps64.dat
[2009/10/29 13:56:41 | 00,786,432 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT
[2009/10/29 13:56:41 | 00,524,288 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000002.regtrans-ms
[2009/10/29 13:56:41 | 00,524,288 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms
[2009/10/29 13:56:41 | 00,065,536 | -HS- | C] () -- C:\Users\Irene\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf
[2009/10/29 13:56:41 | 00,000,020 | -HS- | C] () -- C:\Users\Irene\ntuser.ini
[2008/01/20 19:50:05 | 00,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 19:49:49 | 00,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2006/11/02 08:25:49 | 00,000,174 | -HS- | C] () -- C:\Program Files (x86)\desktop.ini
[2006/11/02 05:34:27 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 05:34:27 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
< End of report >







OTL Extras logfile created on: 11/18/2009 5:36:33 AM - Run 1
OTL by OldTimer - Version 3.1.6.0 Folder = C:\Users
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.30 Gb Available Physical Memory | 77.50% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149.01 Gb Total Space | 125.44 Gb Free Space | 84.18% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IANDM
Current User Name: Irene
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl[@ = cplfile] -- C:\Windows\SysNative\control.exe ()
.hlp[@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html[@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.ini[@ = inifile] -- C:\Windows\SysNative\NOTEPAD.EXE ()
.js[@ = JSFile] -- C:\Windows\SysNative\WScript.exe ()
.jse[@ = JSEFile] -- C:\Windows\SysNative\WScript.exe ()
.txt[@ = txtfile] -- C:\Windows\SysNative\NOTEPAD.EXE ()
.vbe[@ = VBEFile] -- C:\Windows\SysNative\WScript.exe ()
.vbs[@ = VBSFile] -- C:\Windows\SysNative\WScript.exe ()
.wsf[@ = WSFFile] -- C:\Windows\SysNative\WScript.exe ()
.wsh[@ = WSHFile] -- C:\Windows\SysNative\WScript.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\Windows\SysWow64\regedit.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1088018028-2647874452-1959646544-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 ()
batfile [open] -- "%1" %* File not found
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 ()
chm.file [open] -- "%SystemRoot%\hh.exe" %1 File not found
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 ()
cmdfile [open] -- "%1" %* File not found
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 ()
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* ()
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" ()
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 ()
inifile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 ()
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 ()
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 ()
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* ()
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 ()
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 ()
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* ()
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 ()
piffile [open] -- "%1" %* File not found
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" ()
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" ()
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l ()
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 ()
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 ()
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" ()
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 ()
vbefile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* ()
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 ()
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 ()
vbsfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* ()
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 ()
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 ()
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* ()
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 ()
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* ()
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
http [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"TCP Query User{8040B3D4-28DE-436B-BEA2-5F09CDFD2469}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{3A8DC899-B579-4E9C-BAE9-BCF1E308B7A8}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"KeyScrambler" = KeyScrambler
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/15/2009 8:26:42 PM | Computer Name = IANDM | Source = EventSystem | ID = 4609
Description =

Error - 11/15/2009 8:27:32 PM | Computer Name = IANDM | Source = WinMgmt | ID = 10
Description =

Error - 11/16/2009 9:43:15 AM | Computer Name = IANDM | Source = WinMgmt | ID = 10
Description =

Error - 11/16/2009 9:44:11 AM | Computer Name = IANDM | Source = EventSystem | ID = 4609
Description =

Error - 11/17/2009 1:38:49 AM | Computer Name = IANDM | Source = WinMgmt | ID = 10
Description =

Error - 11/17/2009 9:37:50 AM | Computer Name = IANDM | Source = WinMgmt | ID = 10
Description =

Error - 11/17/2009 9:38:02 AM | Computer Name = IANDM | Source = EventSystem | ID = 4609
Description =

Error - 11/18/2009 8:18:53 AM | Computer Name = IANDM | Source = EventSystem | ID = 4609
Description =

Error - 11/18/2009 8:19:44 AM | Computer Name = IANDM | Source = WinMgmt | ID = 10
Description =

Error - 11/18/2009 8:35:26 AM | Computer Name = IANDM | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 11/18/2009 8:18:18 AM | Computer Name = IANDM | Source = EventLog | ID = 6008
Description = The previous system shutdown at 6:31:16 PM on 11/17/2009 was unexpected.

Error - 11/18/2009 8:18:46 AM | Computer Name = IANDM | Source = DCOM | ID = 10005
Description =

Error - 11/18/2009 8:18:53 AM | Computer Name = IANDM | Source = DCOM | ID = 10005
Description =

Error - 11/18/2009 8:18:54 AM | Computer Name = IANDM | Source = DCOM | ID = 10005
Description =

Error - 11/18/2009 8:18:55 AM | Computer Name = IANDM | Source = DCOM | ID = 10005
Description =

Error - 11/18/2009 8:19:44 AM | Computer Name = IANDM | Source = Service Control Manager | ID = 7001
Description =

Error - 11/18/2009 8:19:44 AM | Computer Name = IANDM | Source = Service Control Manager | ID = 7026
Description =

Error - 11/18/2009 8:33:39 AM | Computer Name = IANDM | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:33:00 AM on 11/18/2009 was unexpected.

Error - 11/18/2009 8:33:42 AM | Computer Name = IANDM | Source = HTTP | ID = 15016
Description =

Error - 11/18/2009 8:35:26 AM | Computer Name = IANDM | Source = Service Control Manager | ID = 7026
Description =


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:16 AM

Posted 18 November 2009 - 10:06 AM

Hi,

the log looks clean, what makes you think that you are still infected? Very little will survive a format and reinstall. In addition the bootsector is well protected in Vista and even better on 64bit editions.

If you changed the size of your partitions the bootsector will also have been overwritten and hence should not contain a virus/rootkit.If you used DBAN to format the entire harddisk and not only a partition the same applies.

Could you tell me which problems you are still having?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:16 AM

Posted 24 November 2009 - 04:10 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users