Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MBR Rootkit


  • This topic is locked This topic is locked
21 replies to this topic

#1 MikeMacD

MikeMacD

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 January 2010 - 05:45 PM

My son's Dell Dimension 3100c runs Windows XP sp2 and has been locking up sporadically, requiring a reboot. Mcafee, Spybot and

AdAware show nothing but I have 'cleaned up' a trojan JSRedir.H using Malwarebytes and Windows Live OneCare scanner reports two infections that it cannot fix but doesn't name them. His Java runtime was out of date and I have since updated it and removed old versions. RootRepeal reports a MBR Rootkit.

I have run a complete set of hardware diagnostics without any errors and have updated a number of drivers and removed some programs - mostly bloatware.

I would appreciate you help and advice.

DDS Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Will MacDonagh at 15:42:22.50 on 01/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1472 [GMT 0:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Will MacDonagh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.euro.dell.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program

files\java\jre6\bin\npjpi160_17.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willma~1\applic~1\mozilla\firefox\profiles\uj6d6f61.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_17.dll
FF - plugin: c:\program files\java\jre6\bin\npoji610.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-27 64288]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-12-31 38144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-20 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2008-12-31 238848]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-20 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-20 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-20 171400]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-3-7 272128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-3-2 13532]

=============== Created Last 30 ================

2009-12-28 16:17:21 0 d--h--w- c:\windows\PIF
2009-12-27 18:32:33 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-27 17:08:58 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-27 17:05:52 0 d-----w- c:\program files\Lavasoft
2009-12-26 17:35:44 0 d-----w- c:\docume~1\willma~1\applic~1\Malwarebytes
2009-12-26 17:03:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 17:02:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 17:02:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 16:02:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 17:27:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-22 14:37:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-22 14:23:59 0 d-sh--w- c:\documents and settings\will macdonagh\PrivacIE
2009-12-14 00:50:52 54156 ---ha-w- c:\windows\QTFont.qfn
2009-12-14 00:50:52 1409 ----a-w- c:\windows\QTFont.for
2009-12-08 19:04:52 0 d-----w- c:\program files\DVDVideoSoft
2009-12-08 19:04:52 0 d-----w- c:\program files\common files\DVDVideoSoft
2009-12-04 22:59:53 0 d-----w-

c:\docume~1\willma~1\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-12-04 22:59:47 0 d-----w- c:\program files\BBC iPlayer Desktop

==================== Find3M ====================

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll
2007-04-25 17:53:48 1550464 ----a-w- c:\program files\PaintDotNet_3_07_Beta_BetaNews.exe

============= FINISH: 15:42:52.01 ===============

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:19 AM

Posted 10 January 2010 - 12:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 10 January 2010 - 10:37 PM

Hi Myrti,
Thanks for your response. The problem is still there but I'm currently on business in the US and won't be back home in the UK until Thursday 14th January. I will follow your instructions then and will post the results then.
Thanks again,
Mike.

#4 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 14 January 2010 - 10:06 AM

Hi Myrti,
I'm back from the US and have followed your instructions.
Thanks for your help with this.
Mike.

Here are the logs:

OTL logfile created on: 14/01/2010 14:59:17 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Will MacDonagh\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.95 Gb Total Space | 91.37 Gb Free Space | 62.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL3100C
Current User Name: Will MacDonagh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/14 11:40:08 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Will MacDonagh\Desktop\OTL.exe
PRC - [2009/12/27 17:07:39 | 00,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/12/27 17:07:37 | 01,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/12/22 14:36:43 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/01/24 19:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2008/01/24 19:50:00 | 00,111,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/01/24 19:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2007/10/25 14:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2007/10/25 09:05:40 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2007/10/25 09:04:56 | 00,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2007/10/25 09:03:28 | 00,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2007/06/13 10:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 04:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe


========== Modules (SafeList) ==========

MOD - [2010/01/14 11:40:08 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Will MacDonagh\Desktop\OTL.exe
MOD - [2006/08/25 15:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/27 17:07:37 | 01,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/22 14:36:42 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Disabled | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/01/24 19:50:00 | 00,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/01/24 19:50:00 | 00,054,608 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2007/10/25 09:03:28 | 00,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/01/04 01:40:21 | 00,136,120 | ---- | M] (Google) [Disabled | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/25 13:54:22 | 00,451,136 | ---- | M] (Apple Computer, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2004/08/10 12:01:15 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)


========== Driver Services (SafeList) ==========

DRV - [2009/12/02 13:19:06 | 00,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/11/21 21:47:48 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/01/24 19:50:00 | 00,171,400 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/01/24 19:50:00 | 00,072,936 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/01/24 19:50:00 | 00,064,232 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/01/24 19:50:00 | 00,052,104 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/01/24 19:50:00 | 00,033,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/01/24 19:50:00 | 00,031,816 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2007/12/26 10:47:30 | 00,272,128 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2007/11/16 10:55:00 | 00,165,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/01 05:13:20 | 00,238,848 | R--- | M] (Belkin Corporation. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BLKWGU.sys -- (BELKIN)
DRV - [2007/02/01 07:36:00 | 00,306,560 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8185.sys -- (rtl8185)
DRV - [2006/12/09 20:26:02 | 00,021,035 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2006/11/15 16:23:06 | 00,038,144 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\EAPPkt.sys -- (EAPPkt)
DRV - [2006/07/14 14:03:02 | 00,014,448 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/02/10 17:19:12 | 01,107,224 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/10/14 20:15:18 | 01,302,812 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/08/12 16:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 04:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2004/08/04 04:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 04:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 22:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 22:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 21:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/11/17 20:59:20 | 00,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 20:58:02 | 00,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 20:56:26 | 01,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/04/09 17:48:08 | 00,011,043 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2002/10/02 09:57:12 | 00,013,532 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
IE - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\S-1-5-21-3084886750-1470295126-2286450744-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.co.uk"
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/10 15:33:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/10 15:33:44 | 00,000,000 | ---D | M]

[2008/09/02 11:04:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Will MacDonagh\Application Data\Mozilla\Extensions
[2010/01/13 21:56:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Will MacDonagh\Application Data\Mozilla\Firefox\Profiles\uj6d6f61.default\extensions
[2008/07/05 13:09:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Will MacDonagh\Application Data\Mozilla\Firefox\Profiles\uj6d6f61.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010/01/13 21:56:22 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/02 08:11:44 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/12/02 08:11:44 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/12/02 08:11:44 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/12/02 08:11:44 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (371683 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 12813 more lines...
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3084886750-1470295126-2286450744-1006\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Will MacDonagh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Will MacDonagh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{f5bc1dfc-c420-11de-b78b-001cdf2ec755}\Shell\AutoRun\command - "" = E:\Menu.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/14 14:58:44 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Will MacDonagh\Desktop\OTL.exe
[2010/01/13 14:31:55 | 00,470,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/01 15:41:35 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Will MacDonagh\Desktop\RootRepeal.exe
[2009/12/28 17:19:54 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/12/28 16:17:21 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/12/27 17:08:58 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/12/27 17:08:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/12/27 17:05:52 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/12/26 17:35:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Will MacDonagh\Application Data\Malwarebytes
[2009/12/26 17:03:01 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/26 17:02:58 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/26 17:02:58 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/26 16:02:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/26 16:01:18 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Will MacDonagh\Desktop\HiJackThis.exe
[2009/12/22 17:27:52 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/12/22 14:37:20 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/22 14:37:19 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/22 14:37:19 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/22 14:37:19 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/22 14:23:59 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Will MacDonagh\PrivacIE
[2009/12/21 20:10:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Will MacDonagh\Application Data\Sonic
[2008/10/23 16:48:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/09/19 19:27:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/10/28 17:52:48 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/28 17:52:48 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/14 14:44:03 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/14 14:44:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/14 14:44:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/14 14:44:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/14 14:44:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/14 14:41:56 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/14 14:41:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/14 14:41:31 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/14 14:41:30 | 21,371,49440 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/14 14:38:43 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/14 11:40:08 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Will MacDonagh\Desktop\OTL.exe
[2010/01/14 01:19:23 | 07,864,320 | -H-- | M] () -- C:\Documents and Settings\Will MacDonagh\NTUSER.DAT
[2010/01/14 01:19:17 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Will MacDonagh\ntuser.ini
[2010/01/04 15:52:49 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/01/04 15:52:42 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\Will MacDonagh\Desktop\iTunes.lnk
[2010/01/04 15:31:28 | 00,000,402 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/01/01 22:38:18 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Will MacDonagh\Desktop\settings.dat
[2010/01/01 15:41:38 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Will MacDonagh\Desktop\RootRepeal.exe
[2010/01/01 12:48:02 | 00,441,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/01 12:48:02 | 00,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/01 12:48:02 | 00,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/31 17:48:18 | 00,371,683 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/31 17:41:56 | 00,000,558 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/31 17:41:56 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/31 17:41:56 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/12/29 15:35:20 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Will MacDonagh\Desktop\dds.scr
[2009/12/29 03:02:45 | 04,843,314 | -H-- | M] () -- C:\Documents and Settings\Will MacDonagh\Local Settings\Application Data\IconCache.db
[2009/12/26 20:25:00 | 00,371,107 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091231-174818.backup
[2009/12/24 16:36:44 | 03,864,228 | ---- | M] () -- C:\Documents and Settings\Will MacDonagh\Desktop\ComboFix.exe
[2009/12/24 16:35:22 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Will MacDonagh\Desktop\HiJackThis.exe
[2009/12/22 14:36:40 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/22 14:36:39 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/22 14:36:39 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/22 14:36:39 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/22 14:36:38 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/01 22:38:18 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Will MacDonagh\Desktop\settings.dat
[2010/01/01 15:13:03 | 21,371,49440 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/30 09:50:44 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Will MacDonagh\Desktop\dds.scr
[2009/12/27 18:32:33 | 00,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/12/27 17:09:41 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/27 17:09:41 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2009/12/27 17:09:41 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2009/12/27 17:09:41 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2009/12/27 17:09:41 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2009/12/26 16:01:20 | 03,864,228 | ---- | C] () -- C:\Documents and Settings\Will MacDonagh\Desktop\ComboFix.exe
[2009/10/29 00:25:11 | 00,000,032 | ---- | C] () -- C:\WINDOWS\Menu.INI
[2008/12/31 14:29:03 | 00,013,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\string.ini
[2008/12/02 17:44:29 | 00,001,763 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/12/01 20:38:39 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Will MacDonagh\Local Settings\Application Data\fusioncache.dat
[2008/11/21 21:47:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/21 21:45:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/21 21:45:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/21 21:44:16 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/09/20 13:33:53 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/09/20 13:24:21 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2008/09/20 13:24:21 | 00,000,040 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2008/09/20 13:24:21 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2008/09/20 13:24:13 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2008/09/20 13:24:13 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2008/09/20 13:24:13 | 00,008,975 | ---- | C] () -- C:\WINDOWS\HL-2030.INI
[2008/09/20 13:24:13 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2008/09/20 13:22:52 | 00,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/03/07 21:11:26 | 00,966,765 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll
[2008/03/07 21:11:26 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\SCMLib.dll
[2008/03/07 21:11:26 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\RtlGina2.dll
[2007/12/26 14:51:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/05/18 12:27:30 | 01,550,464 | ---- | C] () -- C:\Program Files\PaintDotNet_3_07_Beta_BetaNews.exe
[2007/04/05 13:44:46 | 00,000,025 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/03/25 16:17:10 | 00,014,848 | ---- | C] () -- C:\Documents and Settings\Will MacDonagh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/28 18:38:39 | 00,006,610 | ---- | C] () -- C:\Documents and Settings\Will MacDonagh\Application Data\wklnhst.dat
[2006/10/28 17:12:45 | 00,000,088 | ---- | C] () -- C:\WINDOWS\System32\00377CDA71.sys
[2006/10/28 17:12:13 | 00,004,184 | ---- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/10/28 15:52:10 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/09/22 13:27:28 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/22 13:23:49 | 00,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/22 12:57:04 | 00,000,402 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 07:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 12:12:05 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
< End of report >



OTL Extras logfile created on: 14/01/2010 14:59:17 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Will MacDonagh\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.95 Gb Total Space | 91.37 Gb Free Space | 62.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL3100C
Current User Name: Will MacDonagh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"9718:TCP" = 9718:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\AOL 9.0\waol.exe" = C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL -- File not found
"C:\Program Files\AOL 9.0\waol.exe" = C:\Program Files\AOL 9.0\waol.exe:*:Disabled:AOL -- File not found
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2600_series" = Canon iP2600 series
"{11D3D948-2789-2E3D-03D7-282B537D8C01}" = BBC iPlayer Desktop
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4102037D-E8E0-48E0-B203-E521D194FB71}" = NETGEAR WG111v2 wireless USB 2.0 adapter
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE}" = QuickTime
"{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}" = iTunes
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C41F4616-44B6-4E8D-BFC7-4267862A2CE1}" = CinepPlayer 30 Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D593C72C-435B-4171-8106-9CA8AA34D716}" = Belkin Wireless G USB Adapter Software
"{D7D338C4-DF0E-403B-B8A1-895C2DD79D4B}" = Brother HL-2030
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"Canon iP2600 series User Registration" = Canon iP2600 series User Registration
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Foxit Reader" = Foxit Reader
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PENTAX Digital Camera Utility" = PENTAX Digital Camera Utility
"Picasa2" = Picasa 2
"PROSet" = Intel® PRO Network Connections Drivers
"Smart Defrag_is1" = Smart Defrag 1.20
"SyncBack_is1" = SyncBack
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 28/12/2009 14:34:20 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\123d91.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 31/12/2009 13:12:00 | Computer Name = DELL3100C | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 01/01/2010 06:41:08 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 1013
Description = Product: Intel® Network Connections -- The installed version of
Intel PROSet is not supported for upgrades. You must uninstall it before installing
this version.

Error - 01/01/2010 07:06:40 | Computer Name = DELL3100C | Source = Application Error | ID = 1000
Description = Faulting application msiexec.exe, version 3.1.4000.1823, faulting
module unknown, version 0.0.0.0, fault address 0x0018a310.

Error - 01/01/2010 07:09:57 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 11101
Description = Product: Intel® Network Connections -- Error 1101.Error reading
from file: C:\DOCUME~1\WILLMA~1\LOCALS~1\Temp\pft4E.tmp\APPS\PROSETDX\Win32\1033.mst.
System error 2. Verify that the file exists and that you can access it.

Error - 01/01/2010 07:45:09 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 11311
Description = Product: Intel® Network Connections -- Error 1311.Source file not
found(cabinet): C:\DOCUME~1\WILLMA~1\LOCALS~1\Temp\pft8.tmp\APPS\PROSETDX\Win32\setup.cab.
Verify that the file exists and that you can access it.

Error - 01/01/2010 07:45:11 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 11311
Description = Product: Intel® Network Connections -- Error 1311.Source file not
found(cabinet): C:\DOCUME~1\WILLMA~1\LOCALS~1\Temp\pft8.tmp\APPS\PROSETDX\Win32\setup.cab.
Verify that the file exists and that you can access it.

Error - 01/01/2010 07:45:12 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 11311
Description = Product: Intel® Network Connections -- Error 1311.Source file not
found(cabinet): C:\DOCUME~1\WILLMA~1\LOCALS~1\Temp\pft8.tmp\APPS\PROSETDX\Win32\setup.cab.
Verify that the file exists and that you can access it.

Error - 01/01/2010 07:45:13 | Computer Name = DELL3100C | Source = MsiInstaller | ID = 11311
Description = Product: Intel® Network Connections -- Error 1311.Source file not
found(cabinet): C:\DOCUME~1\WILLMA~1\LOCALS~1\Temp\pft8.tmp\APPS\PROSETDX\Win32\setup.cab.
Verify that the file exists and that you can access it.

Error - 12/01/2010 19:11:01 | Computer Name = DELL3100C | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 01/01/2010 06:43:14 | Computer Name = DELL3100C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 01/01/2010 07:45:29 | Computer Name = DELL3100C | Source = Service Control Manager | ID = 7034
Description = The Windows Installer service terminated unexpectedly. It has done
this 1 time(s).

Error - 01/01/2010 10:58:21 | Computer Name = DELL3100C | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm

Error - 01/01/2010 10:59:11 | Computer Name = DELL3100C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 01/01/2010 11:00:50 | Computer Name = DELL3100C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 01/01/2010 11:06:21 | Computer Name = DELL3100C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 04/01/2010 11:52:54 | Computer Name = DELL3100C | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 05/01/2010 08:26:15 | Computer Name = DELL3100C | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.6 for the Network Card with network
address 001CDF2EC755 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/01/2010 10:54:56 | Computer Name = DELL3100C | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.5 for the Network Card with network
address 001CDF2EC755 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 14/01/2010 10:33:08 | Computer Name = DELL3100C | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.6 for the Network Card with network
address 001CDF2EC755 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:19 AM

Posted 14 January 2010 - 10:24 AM

Hi,

please also provide logs from gmer and mbr:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 14 January 2010 - 04:46 PM

Hi,
I had some challenges runnning GMER but got it done. Here are the logs:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-14 21:35:47
Windows 5.1.2600 Service Pack 2
Running: 3v3zt0d9.exe; Driver: C:\DOCUME~1\WILLMA~1\LOCALS~1\Temp\uwlirpod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA866D851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA866D87D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA866D827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA866D867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA866D8A9]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1680 5 Bytes JMP A866D8AD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FC8 7 Bytes JMP A866D86B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A32 7 Bytes JMP A866D855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C02 7 Bytes JMP A866D881 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623938 5 Bytes JMP A866D82B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!send 71AB428A 5 Bytes JMP 01402781
.text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01402873
.text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!recv 71AB615A 5 Bytes JMP 014027B9
.text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 014027F1
.text C:\WINDOWS\Explorer.EXE[608] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 014028F5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[680] WS2_32.dll!send 71AB428A 5 Bytes JMP 00BA2781
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[680] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00BA2873
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[680] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00BA27B9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[680] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00BA27F1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[680] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00BA28F5
.text C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe[728] WS2_32.dll!send 71AB428A 5 Bytes JMP 01842781
.text C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe[728] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01842873
.text C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe[728] WS2_32.dll!recv 71AB615A 5 Bytes JMP 018427B9
.text C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe[728] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 018427F1
.text C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe[728] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 018428F5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1132] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A02781
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1132] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00A02873
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1132] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00A027B9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1132] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00A027F1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1132] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A028F5
.text C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe[1252] WS2_32.dll!send 71AB428A 5 Bytes JMP 017C2781
.text C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe[1252] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 017C2873
.text C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe[1252] WS2_32.dll!recv 71AB615A 5 Bytes JMP 017C27B9
.text C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe[1252] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 017C27F1
.text C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe[1252] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 017C28F5
.text C:\WINDOWS\System32\alg.exe[2156] WS2_32.dll!send 71AB428A 5 Bytes JMP 008B2781
.text C:\WINDOWS\System32\alg.exe[2156] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 008B2873
.text C:\WINDOWS\System32\alg.exe[2156] WS2_32.dll!recv 71AB615A 5 Bytes JMP 008B27B9
.text C:\WINDOWS\System32\alg.exe[2156] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 008B27F1
.text C:\WINDOWS\System32\alg.exe[2156] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 008B28F5
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[2524] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C62781
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[2524] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00C62873
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[2524] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00C627B9
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[2524] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00C627F1
.text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[2524] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C628F5
.text C:\Program Files\Java\jre6\bin\jusched.exe[2532] WS2_32.dll!send 71AB428A 5 Bytes JMP 00CA2781
.text C:\Program Files\Java\jre6\bin\jusched.exe[2532] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00CA2873
.text C:\Program Files\Java\jre6\bin\jusched.exe[2532] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00CA27B9
.text C:\Program Files\Java\jre6\bin\jusched.exe[2532] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00CA27F1
.text C:\Program Files\Java\jre6\bin\jusched.exe[2532] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00CA28F5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89B48DF8
Device \Driver\atapi \Device\Ide\IdePort0 89B48DF8
Device \Driver\atapi \Device\Ide\IdePort1 89B48DF8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 89B48DF8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A8175C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----




Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B48DF8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89b48df8
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:19 AM

Posted 14 January 2010 - 04:49 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 14 January 2010 - 05:46 PM

Hi,
Given the seriousness of the infection, I think I will go for a reinstall. That raises a few questions that I would appreciate you answering if you can, I will try to make them clear and maybe they will help others in due course:

1. Should I use something like DBAN to wipe everything and then reformat the hard drive?
2. Will that clean the MBR effectively?
3. We have backups of data, music files, pictures, etc. but can I use them or are they likely to be compromised as well?
4. Should I be wary of memory sticks we have used with this pc and therefore of any computers that I have also used them in?
5. I have the computer on a home network, should I test the other computers on that network?

I think that's about it but please shout if there is anything else you think I should consider.

Thanks again for your help,
Mike.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:19 AM

Posted 14 January 2010 - 05:59 PM

Hi,

1. Should I use something like DBAN to wipe everything and then reformat the hard drive?

if you use DBAN and reset the partitions you should be safe. A new install of your operating system usually will reformat the partition on which you install it as well. This will not clean the MBR though, unless you repartition as well. A repair install will not format anything.

2. Will that clean the MBR effectively?

Creating new partitions should overwrite the masterboot record. If you want to be extra sure, you can boot into recovery console on your windows CD and use the command fixmbr to overwrite the Master Boot Record manually.

3. We have backups of data, music files, pictures, etc. but can I use them or are they likely to be compromised as well?

The backups should be fine. In general everything that is not executable is not a threat and can be backed up. Everything that is executable can potentially be dangerous. This includes setups, installers, cracks but also screensavers and .com, .ini or .cpl files.

4. Should I be wary of memory sticks we have used with this pc and therefore of any computers that I have also used them in?

Here I would again say yes. Globally they pose a threat. However your logs show no sign of an infection spreading over flash drives, so I think the other PCs should be safe.
If you want to prevent infections spreading over flash drives, you can use the following application:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

5. I have the computer on a home network, should I test the other computers on that network?

I'm not aware of this infection spreading over network, but I would say better safe than sorry. How many PCs are there on the network?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 14 January 2010 - 06:15 PM

Wow, thanks for the quick and detailed responses. I will get stuck into it over the weekend and hopefully have it ready for him to take back to university next week.

Thanks for the tip on Flash Disinfector, sounds like something handy to have around.

I have 4 other PCs on the network, 3 with AVG, AdAware and Spybot and one with Trend. They all use Windows Firewall and I have a hardware firewall on my wireless router. I thought I would run Malwarebytes, RootRepeal and maybe do a Windows Live One Care safety scan as well. Do you think that is enough?

Is it OK to keep this topic open until I have done that (say until Monday) in case I turn anything up?
Thanks again
Mike.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:19 AM

Posted 14 January 2010 - 06:23 PM

Hi,

you're very welcome. :(

Since there are only 4 PCs I can also look over the gmer logs of each of them, to make sure they're clean. But if they have been protected by a firewall I suspect, they should be fine.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 14 January 2010 - 06:28 PM

OK, thanks. I'll try to run them tomorrow and get them over to you.
Have a good evening.
Mike

#13 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 15 January 2010 - 11:07 AM

Hi,
Here's the first one; a new PC running Windows 7 with Norton. I will do the other 2 later today but I'm supposed to be working now :(


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 15:48:36
Windows 6.1.7600
Running: lup663pp.exe; Driver: C:\Users\Mike\AppData\Local\Temp\uxldypow.sys


---- System - GMER 1.0.15 ----

SSDT 870BCD10 ZwAlertResumeThread
SSDT 870BCDF0 ZwAlertThread
SSDT 870C07D0 ZwAllocateVirtualMemory
SSDT 864AA3E0 ZwAlpcConnectPort
SSDT 870BBD20 ZwAssignProcessToJobObject
SSDT 870BCA60 ZwCreateMutant
SSDT 870BB7C8 ZwCreateSymbolicLinkObject
SSDT 870BEE98 ZwCreateThread
SSDT 870BBA70 ZwCreateThreadEx
SSDT 870BBE00 ZwDebugActiveProcess
SSDT 870C0980 ZwDuplicateObject
SSDT 870C2008 ZwFreeVirtualMemory
SSDT 870BCB50 ZwImpersonateAnonymousToken
SSDT 870BCC30 ZwImpersonateThread
SSDT 864A9780 ZwLoadDriver
SSDT 870C2460 ZwMapViewOfSection
SSDT 870BC980 ZwOpenEvent
SSDT 870C0AE0 ZwOpenProcess
SSDT 870C08C0 ZwOpenProcessToken
SSDT 870BC718 ZwOpenSection
SSDT 870C0A50 ZwOpenThread
SSDT 870BBC30 ZwProtectVirtualMemory
SSDT 86556E80 ZwResumeThread
SSDT 870C21B0 ZwSetContextThread
SSDT 870C2290 ZwSetInformationProcess
SSDT 870BBEE0 ZwSetSystemInformation
SSDT 870BC8A0 ZwSuspendProcess
SSDT 870BCED0 ZwSuspendThread
SSDT 8654C7B8 ZwTerminateProcess
SSDT 870BCFB0 ZwTerminateThread
SSDT 870C2380 ZwUnmapViewOfSection
SSDT 870C06E0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82830AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82830104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828303F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828192D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82818898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828301DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82830958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828306F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82830F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828311A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82890579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828B4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 828BC724 8 Bytes [10, CD, 0B, 87, F0, CD, 0B, ...] {ADC CH, CL; OR EAX, [EDI-0x78f43210]}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 828BC73C 4 Bytes [D0, 07, 0C, 87] {ROL BYTE [EDI], 0x1; OR AL, 0x87}
.text ntkrnlpa.exe!RtlSidHashLookup + 248 828BC748 4 Bytes [E0, A3, 4A, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 828BC79C 4 Bytes [20, BD, 0B, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 828BC818 4 Bytes [60, CA, 0B, 87] {PUSHA ; RETF 0x870b}
.text ...
.text peauth.sys 9780FC9D 28 Bytes [8F, B9, 6B, C8, D0, B5, CF, ...]
.text peauth.sys 9780FCC1 28 Bytes [8F, B9, 6B, C8, D0, B5, CF, ...]
? C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100114.008\NAVEX15.SYS The system cannot find the path specified. !
? C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100114.008\NAVENG.SYS The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:2004] 8DC144B0

---- EOF - GMER 1.0.15 ----

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:19 AM

Posted 15 January 2010 - 04:49 PM

Hi,

the log is looking odd, could you please also provide a log from mbr from the system?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 MikeMacD

MikeMacD
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 15 January 2010 - 06:01 PM

Hi,
I thought it looked odd but I am just getting started with Win7. The PC did lock up shortly after I ran GMER, recording a Sysmain timeout error. Anyway, I have run mbr. I had to do it in Safe mode, so I reran GMER at the same time. Here are both logs - they look better (to my untrained eye!):

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
kernel: MBR read successfully
user & kernel MBR OK


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 22:53:24
Windows 6.1.7600
Running: lup663pp.exe; Driver: C:\Users\Mike\AppData\Local\Temp\uxldypow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82048AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82048104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820483F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820312D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82030898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820481DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82048958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820486F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82048F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 820491A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81C61579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C85F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \FileSystem\fastfat \Fat 8112B130

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users