Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Re-directing Problems with Internet Browsers


  • This topic is locked This topic is locked
21 replies to this topic

#1 Mbakerman

Mbakerman

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 15 December 2009 - 03:30 PM

Hi, I need help with a spyware (possibly a rootkit) problem. I'm getting re-directs in all of my browsers. I've tried reinstalling Java to no avail, and Ive used the following programs to try and fix this with some-but-little luck:

AVG
Avast
Malwarebytes
VIPRE
Uniblue Registry Booster

I used Windows Security Center Scan from Microsofts website. I got a Trojan Zebo, Trojan Renos, and something called CVE (or something like it). It solved some of it but not all.

NOTE: I have not tried ComboFix. Also, my computer is somehow incapable of booting into Safe Mode. If it try to, it stops at "Mup.sys" and goes to an empty blue screen with no text.

I did a HijackThis log and did the DDS report (Attached)
I tried numerous times to do the RootRepeal report, but it simply does not finish its scan. The farthest Ive ever seen it go was until "system32"... and that was after leaving my computer on for 9 (nine) hours. I did the RootRepeal scan with no broswers open, no internet connection, and no windows open, so I seriously dont know what to do -- it just will not finish a scan. Tried re-installing, tried numerous times... no luck, so I'm sorry I cannot provide that information.

I appreciate any and all help, and will provide more information on request.
Thanks Much!

Attached Files



BC AdBot (Login to Remove)

 


#2 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 26 December 2009 - 12:21 PM

UPDATE:

I have been looking on other forums to try and solve this problem, and I found one:
http://www.techspot.com/vb/all/windows/t-1...arty-sites.html


This method for getting rid of rootkit actvity involves:
ComboFix
OTL
RootRepeal
GMER
The Avenger

So far I have scanned my computer with all of the above, and have saved logs from ComboFix, OTL, and GMER. These are all attached. (RootRepeal continues to not work)
Rootkit activity was detected when I ran ComboFix, as well as numerous items from scanning with GMER.

I understand how to use the Avenger now, so if someone could please review my logs and give me a script to input into Avenger to delete the Rootkits, I would be extremely thankful. If it turns out that you need more information or I need to try another method, PLEASE! let me know, and I will reply ASAP.

P.S.: Also, as another request, I think my problem with SafeMode not working might have to do with me deleting an item in HijackThis! that I shouldnt have. Attached is a screenshot of the BackUps List from HJT.

Thank You in advance!

Attached Files



#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 27 December 2009 - 05:17 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#4 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 28 December 2009 - 06:34 PM

Here is the OTL report. I didnt get an Extras.txt file when the scan is complete, but I did get one from a previous scan (about a week ago) when I tried it with "LOP Check and Purity Check" checked. I added it just in case. If you need an updated one, please let me know and I can retry.

Thanks!
-Mike


OTL REPORT:

OTL logfile created on: 12/28/2009 6:12:49 PM - Run 3
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Mike Bakerman\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.08 Gb Total Space | 12.96 Gb Free Space | 20.22% Space Free | Partition Type: NTFS
Drive D: | 9.42 Gb Total Space | 1.38 Gb Free Space | 14.63% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MIKE
Current User Name: Mike Bakerman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Mike Bakerman\My Documents\Downloads\OTL(2).exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iTunes\iTunes.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\AIM\aim.exe (AOL LLC)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe (Seagate Technology LLC)
PRC - C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe (Seagate LLC)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
PRC - C:\WINDOWS\system32\WTablet\TabUserW.exe (Wacom Technology, Corp.)
PRC - C:\WINDOWS\system32\Tablet.exe (Wacom Technology, Corp.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Hp\QuickPlay\QPService.exe (CyberLink Corp.)
PRC - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\HPQ\Shared\HpqToaster.exe ()
PRC - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Mike Bakerman\My Documents\Downloads\OTL(2).exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (FreeAgentGoNext Service) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe (Seagate Technology LLC)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (TabletService) -- C:\WINDOWS\system32\Tablet.exe (Wacom Technology, Corp.)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (hpqwmiex) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)
SRV - (LightScribeService) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (Haspnt) -- C:\WINDOWS\system32\drivers\Haspnt.sys (Aladdin Knowledge Systems)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology)
DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\CHDAud.sys (Conexant Systems Inc.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (nvsmu) -- C:\WINDOWS\system32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys ()
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (iaStor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (Hardlock) -- C:\WINDOWS\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (Sntnlusb) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
IE - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\S-1-5-21-3943594164-4101098211-268735474-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 19:52:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/16 19:52:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins

[2009/11/30 23:46:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Bakerman\Application Data\Mozilla\Extensions
[2009/11/30 23:46:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Bakerman\Application Data\Mozilla\Firefox\Profiles\qvm6dv9h.default\extensions
[2009/12/28 12:29:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - Startup: C:\Documents and Settings\Mike Bakerman\Start Menu\Programs\StartUp\Seagate 2GE2C5EN Product Registration.lnk = C:\Documents and Settings\Mike Bakerman\Application Data\Leadertech\PowerRegister\Seagate 2GE2C5EN Product Registration.exe (Leader Technologies/Seagate)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3943594164-4101098211-268735474-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 22:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (52920800314916864)

========== Files/Folders - Created Within 60 Days ==========

[2009/12/26 12:16:51 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/12/25 23:18:20 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/25 23:18:20 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/25 23:18:20 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/25 23:18:20 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/22 23:01:53 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/22 10:43:21 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/22 10:39:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/20 21:55:07 | 00,000,000 | ---D | C] -- C:\Program Files\Seagate
[2009/12/20 21:55:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2009/12/20 21:54:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\Downloaded Installations
[2009/12/20 21:54:39 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/12/20 21:54:28 | 00,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2009/12/14 16:47:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Application Data\Uniblue
[2009/12/14 16:46:59 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2009/12/11 09:03:55 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/11 09:03:55 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/11 09:03:54 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/11 09:03:54 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/09 08:57:58 | 16,672,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mike Bakerman\Desktop\jre-6u17-windows-i586.exe
[2009/12/09 01:34:25 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/12/07 21:45:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Desktop\FOGGGGGG
[2009/12/04 10:43:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Desktop\Drawings_For_Chelsea
[2009/12/01 19:32:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sunbelt
[2009/11/30 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/11/28 16:48:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Desktop\GOBLIN_GARBAGE
[2009/11/23 21:17:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Desktop\FIEA PORTFOLIO
[2009/11/07 17:18:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\nnlwbo
[2009/11/06 10:59:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/06 00:26:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\AIM
[2009/11/06 00:26:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2009/11/06 00:26:44 | 00,000,000 | ---D | C] -- C:\Program Files\AIM
[2009/11/06 00:26:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\AOL
[2009/11/06 00:26:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AOL
[2009/11/03 22:02:46 | 00,000,000 | ---D | C] -- C:\$AVG
[2009/11/03 22:02:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/11/03 22:01:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/07/11 00:01:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/30 01:10:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/06/30 01:10:11 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/06/30 01:10:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/06/09 17:56:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\WTablet
[2007/11/13 13:41:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Talkback
[2007/11/13 13:36:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2007/11/13 13:36:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/10/05 13:04:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/09/25 00:50:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 60 Days ==========

[2009/12/28 08:39:01 | 47,132,232 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/28 08:38:15 | 00,128,154 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/27 20:35:11 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/12/27 17:44:35 | 00,001,391 | ---- | M] () -- C:\hpqp.ini
[2009/12/27 17:44:31 | 00,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/27 17:44:31 | 00,000,039 | ---- | M] () -- C:\XP_TV.ini
[2009/12/27 17:44:21 | 00,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2009/12/27 17:44:12 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/27 17:44:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/27 17:44:02 | 15,420,41600 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/27 17:42:06 | 04,718,592 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\NTUSER.DAT
[2009/12/27 17:42:06 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Mike Bakerman\ntuser.ini
[2009/12/26 12:16:33 | 00,293,218 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\BackUpPic.jpg
[2009/12/25 23:38:13 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/25 23:37:44 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/24 11:45:49 | 00,679,727 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Sqrlz4nana copy.jpg
[2009/12/24 11:45:38 | 03,625,037 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Sqrlz4nana.psd
[2009/12/23 23:59:09 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\text.exe.exe
[2009/12/23 00:16:08 | 32,743,553 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Low_Poly_Head_Modeling_Tut.mp4
[2009/12/22 23:31:29 | 00,219,244 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Dorkins_SIDE.psd
[2009/12/22 23:03:21 | 00,068,024 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/22 22:30:00 | 00,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/22 10:43:37 | 00,000,293 | RHS- | M] () -- C:\boot.ini
[2009/12/21 00:43:22 | 00,001,321 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Start Menu\Programs\StartUp\Seagate 2GE2C5EN Product Registration.lnk
[2009/12/20 21:55:17 | 00,001,863 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Seagate Manager.lnk
[2009/12/19 15:14:26 | 00,187,933 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Dorkins_FRONT.psd
[2009/12/16 13:21:47 | 00,000,461 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/16 13:21:47 | 00,000,223 | ---- | M] () -- C:\Boot.bak
[2009/12/14 17:11:41 | 00,439,376 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/14 17:11:41 | 00,380,042 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/14 17:11:41 | 00,052,648 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/14 16:47:00 | 00,000,774 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegistryBooster 2010.lnk
[2009/12/14 15:27:10 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/11 09:03:37 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/11 09:03:37 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/11 09:03:37 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/11 09:03:37 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/11 09:03:37 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/12/09 08:59:29 | 16,672,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mike Bakerman\Desktop\jre-6u17-windows-i586.exe
[2009/12/09 08:48:19 | 00,002,622 | ---- | M] () -- C:\WINDOWS\System32\config.nt
[2009/12/03 21:50:24 | 58,120,993 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Ground_Plane_Texture.psd
[2009/12/01 23:46:21 | 04,558,864 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Swirl_1.psd
[2009/12/01 22:59:09 | 13,131,601 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\11 Plamaterial.m4a
[2009/12/01 22:57:43 | 11,819,157 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\10 Twelve Magatons Gravity.m4a
[2009/12/01 22:54:00 | 11,663,354 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\05 Dynamic.m4a
[2009/12/01 19:54:49 | 00,000,115 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Application Data\netstat.bat
[2009/11/30 23:46:09 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/28 23:45:15 | 03,969,408 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Evil_Queen_3DCharacter.psd
[2009/11/27 00:31:19 | 02,566,123 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Monster_3DCharacter.psd
[2009/11/27 00:08:10 | 01,494,739 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\huh.psd
[2009/11/24 21:40:05 | 00,055,180 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/11/20 18:10:40 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/11/19 08:40:56 | 01,444,350 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\ReeRee.psd
[2009/11/16 23:31:23 | 00,566,384 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Grass1.psd
[2009/11/09 17:42:19 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/06 10:58:25 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/11/06 00:27:02 | 00,001,877 | -H-- | M] () -- C:\IPH.PH
[2009/11/06 00:26:57 | 00,001,576 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2009/11/03 22:02:35 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/03 22:02:34 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/11/03 22:02:34 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/11/03 22:02:34 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/11/03 22:02:34 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/11/03 11:03:06 | 02,834,573 | ---- | M] () -- C:\Documents and Settings\Mike Bakerman\Desktop\stone2_color.jpg
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/26 12:16:21 | 00,293,218 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\BackUpPic.jpg
[2009/12/25 23:18:20 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/25 23:18:20 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/25 23:18:20 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/24 11:45:46 | 00,679,727 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Sqrlz4nana copy.jpg
[2009/12/23 23:59:08 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\text.exe.exe
[2009/12/23 00:09:02 | 32,743,553 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Low_Poly_Head_Modeling_Tut.mp4
[2009/12/22 10:43:35 | 00,000,223 | ---- | C] () -- C:\Boot.bak
[2009/12/22 10:43:27 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/22 10:40:53 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/22 10:40:53 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/21 14:36:13 | 03,625,037 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Sqrlz4nana.psd
[2009/12/20 21:55:17 | 00,001,863 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Seagate Manager.lnk
[2009/12/20 21:54:15 | 00,001,321 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Start Menu\Programs\StartUp\Seagate 2GE2C5EN Product Registration.lnk
[2009/12/19 00:41:39 | 00,219,244 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Dorkins_SIDE.psd
[2009/12/18 14:14:42 | 00,187,933 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Dorkins_FRONT.psd
[2009/12/14 16:47:00 | 00,000,774 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegistryBooster 2010.lnk
[2009/12/07 21:31:27 | 58,120,993 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Ground_Plane_Texture.psd
[2009/12/03 23:32:38 | 13,131,601 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\11 Plamaterial.m4a
[2009/12/03 23:10:47 | 11,819,157 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\10 Twelve Magatons Gravity.m4a
[2009/12/03 23:09:13 | 11,663,354 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\05 Dynamic.m4a
[2009/12/01 19:51:11 | 00,000,115 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Application Data\netstat.bat
[2009/12/01 00:07:54 | 04,558,864 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Swirl_1.psd
[2009/11/30 23:46:09 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/28 23:45:13 | 03,969,408 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Evil_Queen_3DCharacter.psd
[2009/11/27 00:29:25 | 02,566,123 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Monster_3DCharacter.psd
[2009/11/27 00:08:09 | 01,494,739 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\huh.psd
[2009/11/24 21:40:05 | 00,055,180 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/11/18 20:16:38 | 02,834,573 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\stone2_color.jpg
[2009/11/16 23:31:21 | 00,566,384 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Desktop\Grass1.psd
[2009/11/06 11:00:56 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/11/06 10:58:25 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/11/06 00:26:57 | 00,001,576 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2009/11/03 22:02:35 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/07/16 16:05:10 | 00,007,680 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/08 11:25:34 | 00,000,050 | ---- | C] () -- C:\WINDOWS\BRQIKMON.INI
[2009/06/30 13:34:38 | 00,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2009/06/30 00:08:42 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\fusioncache.dat
[2009/06/30 00:08:42 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\DSwitch.txt
[2009/06/30 00:08:42 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\AtStart.txt
[2009/06/30 00:08:40 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Mike Bakerman\Local Settings\Application Data\QSwitch.txt
[2008/06/28 10:51:23 | 00,000,033 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2008/02/18 00:07:38 | 00,000,027 | ---- | C] () -- C:\WINDOWS\SmartAudio.INI
[2008/02/02 18:18:22 | 00,000,590 | ---- | C] () -- C:\WINDOWS\Tuareg2.ini
[2008/01/14 17:47:06 | 00,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2008/01/10 00:50:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2008/01/08 10:23:13 | 00,000,462 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/01/08 10:23:13 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/09/13 01:10:08 | 00,000,321 | ---- | C] () -- C:\WINDOWS\game.ini
[2007/08/15 22:10:19 | 00,000,162 | -H-- | C] () -- C:\Program Files\Common Files\client.lcs
[2007/03/12 19:49:44 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2007/01/10 17:11:39 | 00,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/01/10 09:44:26 | 01,457,024 | R--- | C] () -- C:\WINDOWS\System32\SSCProt.dll
[2007/01/07 17:16:49 | 00,001,718 | ---- | C] () -- C:\WINDOWS\ACT_CFG.INI
[2007/01/07 17:16:42 | 00,001,083 | ---- | C] () -- C:\WINDOWS\Cpqdiag.ini
[2006/08/23 15:48:35 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/08/23 15:39:07 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/07/26 12:15:18 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/07/07 23:14:04 | 00,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/07/07 23:11:10 | 00,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/07/07 22:41:24 | 00,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/07/07 22:28:13 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/07 20:07:24 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/07/07 20:07:15 | 00,099,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvata.sys
[2006/07/07 20:07:09 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/07 20:07:09 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/07 20:07:09 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/07 20:07:09 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/07 20:07:08 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/03/27 12:00:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/27 11:24:48 | 00,000,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/03/27 11:20:24 | 00,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/03/27 11:17:12 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/12/02 13:09:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/04 16:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2004/08/04 10:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 10:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\AGP440.SYS
[2004/08/04 10:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004/08/04 09:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 09:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 09:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 09:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 09:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/04 16:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2004/08/04 16:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 16:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\SwSetup\HDD\iastor.sys
[2005/10/13 04:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2004/08/04 16:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/04 16:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 16:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SwSetup\chipset\IDE\Win2K\sata_ide\nvata.sys
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SwSetup\chipset\IDE\WinXP\sata_ide\nvata.sys
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SwSetup\chipset\nvata.sys
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SwSetup\chipset\IDE\Win2K\sataraid\nvatabus.sys
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SwSetup\chipset\IDE\WinXP\sataraid\nvatabus.sys
[2006/01/27 10:04:16 | 00,099,584 | ---- | M] (NVIDIA Corporation) MD5=3AC5EEDD35B7437D53960F3998BFA462 -- C:\SwSetup\chipset\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 16:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2004/08/04 16:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 16:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll
< End of report >










EXTRAS REPORT FROM FIRST POST:

OTL Extras logfile created on: 12/22/2009 10:52:24 PM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\Mike Bakerman\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.08 Gb Total Space | 13.17 Gb Free Space | 20.55% Space Free | Partition Type: NTFS
Drive D: | 9.42 Gb Total Space | 1.38 Gb Free Space | 14.63% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MIKE
Current User Name: Mike Bakerman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 60 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Autodesk\Maya8.5\bin\maya.exe" = C:\Program Files\Autodesk\Maya8.5\bin\maya.exe:*:Enabled:Maya -- (Autodesk)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (AOL LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{28C74612-2C48-4421-BF67-3949CD90748E}" = Autodesk DirectConnect 2.0
"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.00 G2
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 E1
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.1
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig
"{6084D038-3401-4C9D-A216-86E6EEA25AFB}" = ZBrush3
"{63A3856B-5C0E-4BC1-B508-629AE74B6BBA}" = HP User Guides 0027
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6693E024-E2D3-477C-8EF9-4D484F3B3071}" = Seagate Manager Installer
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig
"{81525B87-9344-4834-883C-C6A9D78EA1DF}" = Maya 8.5 Documentation (en_US)
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour
"{A1E0E88A-F5E9-4414-A0D7-31940E965EC5}" = Maya 8.5
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}" = SmartAudio
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D755C7A3-C03E-4460-8C00-AC6E55505FB5}" = LightScribe 1.4.74.1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2010
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"9E140F48C9836B9B78539C08FB2B17146BDB3F65" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"AVG9Uninstall" = AVG Free 9.0
"CDisplay_is1" = CDisplay 1.8
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_wis30B5m" = HDAUDIO Soft Data Fax Modem with SmartCP
"EuphRO" = EuphRO
"HijackThis" = HijackThis 1.99.1
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.0
"InstallShield_{6693E024-E2D3-477C-8EF9-4D484F3B3071}" = Seagate Manager Installer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"NVIDIA Drivers" = NVIDIA Drivers
"Rainbow Sentinel Driver" = Sentinel System Driver
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Tablet Driver" = Tablet
"VLC media player" = VLC media player 1.0.0
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 29 December 2009 - 10:40 AM

Your logs show signs of a rootkit so you should be aware of the following information.

or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#6 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 30 December 2009 - 01:34 AM

Hi Syler,
Here is my combofix log.
(I can't attach it, since the bleepingcomputer forum is mistaking me for attaching files that I've already attached in the past, so it says I have too much attachment space used already)
I'll just paste it here:

ComboFix 09-12-29.04 - Mike Bakerman 12/30/2009 0:56.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1037 [GMT -5:00]
Running from: f:\programs_and_tutorials\Antivirus_Programs\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-22 14:25 . 2009-12-12 02:57 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 14:25 . 2009-12-18 17:57 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 14:25 . 2009-12-12 02:57 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-21 02:55 . 2009-12-21 02:55 -------- d-----w- c:\program files\Seagate
2009-12-21 02:55 . 2009-12-21 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-21 02:54 . 2009-12-21 02:54 -------- d-----w- c:\documents and settings\Mike Bakerman\Local Settings\Application Data\Downloaded Installations
2009-12-21 02:54 . 2009-12-21 02:54 -------- d-----w- c:\program files\MSXML 6.0
2009-12-21 02:54 . 2009-12-21 02:54 -------- d-sh--w- c:\windows\ftpcache
2009-12-21 02:54 . 2009-02-16 11:40 1731736 ----a-w- c:\documents and settings\Mike Bakerman\Application Data\Leadertech\PowerRegister\Seagate 2GE2C5EN Product Registration.exe
2009-12-18 17:58 . 2009-12-12 02:57 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-14 21:47 . 2009-12-14 21:47 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\Uniblue
2009-12-14 21:46 . 2009-12-14 21:46 -------- d-----w- c:\program files\Uniblue
2009-12-09 06:34 . 2009-12-09 06:40 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-07 04:42 . 2009-12-09 13:51 -------- d-s---w- c:\documents and settings\LocalService\Temporary Internet Files
2009-12-07 04:42 . 2009-12-07 04:43 -------- d-s---w- c:\documents and settings\LocalService\History
2009-12-02 00:51 . 2009-12-02 00:54 115 ----a-w- c:\documents and settings\Mike Bakerman\Application Data\netstat.bat
2009-12-02 00:32 . 2009-12-02 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 06:11 . 2009-07-07 00:37 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\WTablet
2009-12-24 20:30 . 2007-09-21 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-23 04:03 . 2009-06-30 05:08 68024 ----a-w- c:\documents and settings\Mike Bakerman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 02:55 . 2006-07-08 01:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-17 19:06 . 2009-11-04 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-17 05:55 . 2009-07-04 19:04 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\uTorrent
2009-12-12 02:56 . 2009-11-13 03:10 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-11 14:03 . 2009-06-30 09:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-09 16:42 . 2006-07-08 01:05 -------- d-----w- c:\program files\Java
2009-11-29 06:57 . 2009-07-27 09:35 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\vlc
2009-11-25 02:40 . 2009-11-25 02:40 55180 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-20 23:10 . 2009-10-21 20:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-09 22:42 . 2009-06-30 06:11 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-07 00:15 . 2009-06-30 09:17 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\Apple Computer
2009-11-06 16:00 . 2009-11-06 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-06 16:00 . 2006-07-26 03:36 -------- d-----w- c:\program files\iTunes
2009-11-06 16:00 . 2006-11-11 23:37 -------- d-----w- c:\program files\iPod
2009-11-06 15:58 . 2006-11-11 23:36 -------- d-----w- c:\program files\QuickTime
2009-11-06 15:57 . 2007-07-05 16:36 -------- d-----w- c:\program files\Common Files\Apple
2009-11-06 15:50 . 2009-11-06 15:50 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-05 19:11 . 2009-11-06 05:17 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\unregister.bat
2009-10-05 19:10 . 2009-11-06 05:26 95792 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\AOLFirewallMgr.dll
2009-10-05 19:10 . 2009-11-06 05:26 83752 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\ProgUpd.dll
2009-10-05 19:10 . 2009-11-06 05:26 36704 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\postproc.exe
2009-10-05 19:10 . 2009-11-06 05:26 172840 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\setup.exe
2009-10-05 19:10 . 2009-11-06 05:26 1025384 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\gui.dll
2009-10-05 19:10 . 2009-11-06 05:17 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll
2009-10-05 19:10 . 2009-11-06 05:17 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe
2009-10-05 19:10 . 2009-11-06 05:17 172840 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe
2009-10-05 19:10 . 2009-11-06 05:17 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2009-10-05 19:10 . 2009-11-06 05:17 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2007-08-16 03:10 . 2007-08-16 03:10 162 -c-h--w- c:\program files\Common Files\client.lcs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]

c:\documents and settings\Mike Bakerman\Start Menu\Programs\Startup\
Seagate 2GE2C5EN Product Registration.lnk - c:\documents and settings\Mike Bakerman\Application Data\Leadertech\PowerRegister\Seagate 2GE2C5EN Product Registration.exe [2009-12-20 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-1-8 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-04 03:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2009-12-12 02:57 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 18:53 1312080 ----a-w- c:\program files\Antiv\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sopidkc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2009 1:11 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/30/2009 1:11 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/3/2009 10:02 PM 285392]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\Mike Bakerman\Application Data\Mozilla\Firefox\Profiles\qvm6dv9h.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 01:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???P?????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x899F250C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebfc3
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72f87b4
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71ecb30
PacketIndicateHandler -> NDIS.sys @ 0xf71dba0d
SendHandler -> NDIS.sys @ 0xf71efac0
user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-12-30 01:21:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 06:21
ComboFix2.txt 2009-12-26 04:46

Pre-Run: 14,112,935,936 bytes free
Post-Run: 14,084,063,232 bytes free

- - End Of File - - 33CD7F36EC9564862C83B84F2155FE1E

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 31 December 2009 - 12:54 PM

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

CMD /K COPY /V C:\SwSetup\chipset\nvata.sys C:\nvata.sys

  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.


Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\nvata.sys | C:\WINDOWS\system32\drivers\nvata.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sopidkc"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please post back here with the following logs:
  • avenger.txt
  • Combofix.txt
Thanks

unite.jpg


#8 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 31 December 2009 - 05:22 PM

Hi again Syler. I ran both, and saved the logs. I checked the cmd command for "nvata.sys" and it said "1 File Copied" so that's good.
However, it seems to me like Avenger didn't do it's job with moving C:\nvata.sys, as you'll read below.

AVENGER LOGFILE:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\nvata.sys" not found!
File move operation "C:\nvata.sys|C:\WINDOWS\system32\drivers\nvata.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.





COMBOFIX LOG



ComboFix 09-12-29.04 - Mike Bakerman 12/31/2009 16:27:46.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1035 [GMT -5:00]
Running from: c:\documents and settings\Mike Bakerman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike Bakerman\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 21:08 . 2006-01-27 15:04 99584 ----a-w- c:\documents and settings\Mike Bakerman\nvata.sys
2009-12-22 14:25 . 2009-12-12 02:57 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 14:25 . 2009-12-18 17:57 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 14:25 . 2009-12-12 02:57 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-21 02:55 . 2009-12-21 02:55 -------- d-----w- c:\program files\Seagate
2009-12-21 02:55 . 2009-12-21 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-21 02:54 . 2009-12-21 02:54 -------- d-----w- c:\documents and settings\Mike Bakerman\Local Settings\Application Data\Downloaded Installations
2009-12-21 02:54 . 2009-12-21 02:54 -------- d-----w- c:\program files\MSXML 6.0
2009-12-21 02:54 . 2009-12-21 02:54 -------- d-sh--w- c:\windows\ftpcache
2009-12-21 02:54 . 2009-02-16 11:40 1731736 ----a-w- c:\documents and settings\Mike Bakerman\Application Data\Leadertech\PowerRegister\Seagate 2GE2C5EN Product Registration.exe
2009-12-18 17:58 . 2009-12-12 02:57 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-14 21:47 . 2009-12-14 21:47 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\Uniblue
2009-12-14 21:46 . 2009-12-14 21:46 -------- d-----w- c:\program files\Uniblue
2009-12-09 06:34 . 2009-12-09 06:40 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-07 04:42 . 2009-12-09 13:51 -------- d-s---w- c:\documents and settings\LocalService\Temporary Internet Files
2009-12-07 04:42 . 2009-12-07 04:43 -------- d-s---w- c:\documents and settings\LocalService\History
2009-12-02 00:51 . 2009-12-02 00:54 115 ----a-w- c:\documents and settings\Mike Bakerman\Application Data\netstat.bat
2009-12-02 00:32 . 2009-12-02 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 21:41 . 2009-07-07 00:37 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\WTablet
2009-12-31 21:06 . 2009-11-04 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-24 20:30 . 2007-09-21 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-23 04:03 . 2009-06-30 05:08 68024 ----a-w- c:\documents and settings\Mike Bakerman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 02:55 . 2006-07-08 01:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-17 05:55 . 2009-07-04 19:04 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\uTorrent
2009-12-12 02:56 . 2009-11-13 03:10 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-11 14:03 . 2009-06-30 09:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-09 16:42 . 2006-07-08 01:05 -------- d-----w- c:\program files\Java
2009-11-29 06:57 . 2009-07-27 09:35 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\vlc
2009-11-25 02:40 . 2009-11-25 02:40 55180 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-20 23:10 . 2009-10-21 20:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-09 22:42 . 2009-06-30 06:11 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-07 00:15 . 2009-06-30 09:17 -------- d-----w- c:\documents and settings\Mike Bakerman\Application Data\Apple Computer
2009-11-06 16:00 . 2009-11-06 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-06 16:00 . 2006-07-26 03:36 -------- d-----w- c:\program files\iTunes
2009-11-06 16:00 . 2006-11-11 23:37 -------- d-----w- c:\program files\iPod
2009-11-06 15:58 . 2006-11-11 23:36 -------- d-----w- c:\program files\QuickTime
2009-11-06 15:57 . 2007-07-05 16:36 -------- d-----w- c:\program files\Common Files\Apple
2009-11-06 15:50 . 2009-11-06 15:50 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-05 19:11 . 2009-11-06 05:17 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\unregister.bat
2009-10-05 19:10 . 2009-11-06 05:26 95792 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\AOLFirewallMgr.dll
2009-10-05 19:10 . 2009-11-06 05:26 83752 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\ProgUpd.dll
2009-10-05 19:10 . 2009-11-06 05:26 36704 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\postproc.exe
2009-10-05 19:10 . 2009-11-06 05:26 172840 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\setup.exe
2009-10-05 19:10 . 2009-11-06 05:26 1025384 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4469\gui.dll
2009-10-05 19:10 . 2009-11-06 05:17 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll
2009-10-05 19:10 . 2009-11-06 05:17 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe
2009-10-05 19:10 . 2009-11-06 05:17 172840 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe
2009-10-05 19:10 . 2009-11-06 05:17 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2009-10-05 19:10 . 2009-11-06 05:17 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2007-08-16 03:10 . 2007-08-16 03:10 162 -c-h--w- c:\program files\Common Files\client.lcs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]

c:\documents and settings\Mike Bakerman\Start Menu\Programs\Startup\
Seagate 2GE2C5EN Product Registration.lnk - c:\documents and settings\Mike Bakerman\Application Data\Leadertech\PowerRegister\Seagate 2GE2C5EN Product Registration.exe [2009-12-20 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-1-8 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-04 03:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2009-12-12 02:57 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 18:53 1312080 ----a-w- c:\program files\Antiv\mbam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2009 1:11 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/30/2009 1:11 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/3/2009 10:02 PM 285392]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\Mike Bakerman\Application Data\Mozilla\Firefox\Profiles\qvm6dv9h.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 16:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???P?????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x899EF50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebfc3
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72f87b4
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71ecb30
PacketIndicateHandler -> NDIS.sys @ 0xf71dba0d
SendHandler -> NDIS.sys @ 0xf71efac0
user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-12-31 16:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 21:51
ComboFix2.txt 2009-12-30 06:21
ComboFix3.txt 2009-12-26 04:46

Pre-Run: 14,067,589,120 bytes free
Post-Run: 14,037,995,520 bytes free

- - End Of File - - 5A90806DFB62DEECB1CDCDEF860834C8

#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 01 January 2010 - 06:49 PM

Happy New Year :(

We will try doing this with the recover console, before you boot into the recovery console please make sure their is a copy
of the file here C:\nvata.sys if not please let me know before continuing.

Reboot your computer.

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following line, then press Enter.

COPY C:\nvata.sys C:\WINDOWS\system32\drivers\nvata.sys

It will then ask if you want to overwrite nvata.sys, press Y then Enter

If successful it should say "1 file(s) copied"

Then type EXIT and press Enter to reboot the machine.

unite.jpg


#10 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 01 January 2010 - 10:31 PM

Hi Syler
Happy New Year to you too!

I'm trying out the Recovery Console, and I input the code you provided, and I get a "The system cannot find the file specified"

Here's what I entered:

COPY (space) C:\nvata.sys (space) C:\WINDOWS\system32\drivers\nvata.sys

When I do it for the Run command, to check if the file's there, I get a "1 file copied"
I also took a look in the file directory, and nvata.sys is definitely there.

I'm stumped :(

EDIT:

I just realized that maybe it's something from me possibly messing up with HiJackThis! a long time ago. Could you please take a look at my earlier post in this thread, theres an attachment called "BackUpPic" which is a screenshot image of my backups list from HJT. Could one of these (possibly a driver) not starting up with the computer be the problem?

Edited by Mbakerman, 01 January 2010 - 10:40 PM.


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 02 January 2010 - 03:29 PM

Well you did type it rite, so if the file is there then im not sure why it's not doing it, we will try doing it differently.

Please type the following line into the recovery console and let me know if it copies successfully.

COPY "C:\SwSetup\chipset\nvata.sys" "C:\WINDOWS\system32\drivers\nvata.sys"

unite.jpg


#12 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 02 January 2010 - 05:38 PM

Just tried it, and I got "Access is Denied"

Also my computer tends to shut off within a couple of minutes in the recovery console. I'm not sure if this is normal.

Edited by Mbakerman, 02 January 2010 - 05:39 PM.


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 02 January 2010 - 06:09 PM

Type the following command in the recovery console first, then try the last command again.

SET allowallpaths = true

unite.jpg


#14 Mbakerman

Mbakerman
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:41 AM

Posted 02 January 2010 - 06:41 PM

It worked! It overwrote the file. I didnt get to use the EXIT command to reboot cuz the computer shut off shortly after...

Now do I go ahead and try the Avenger/Combo Logs for you?

Edited by Mbakerman, 02 January 2010 - 06:47 PM.


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:41 AM

Posted 02 January 2010 - 07:43 PM

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

cmd /c mbr -t& start mbr.log

  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users