Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootRepeal: MBR Rootkit Detected!


  • This topic is locked This topic is locked
23 replies to this topic

#1 SEANerDotNET

SEANerDotNET

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 19 January 2010 - 12:57 PM

I came across this forum via Google searches on the issues I was having. Before reading the "Read this topic before posting a log" sticky under Forum Guidelines, I ran HiJackThis, ComboFix, and also FIXMBR from the Microsoft Recovery Console. As you can clearly tell from the RootRepeal report below, my hard drive is infected with a rootkit. Currently I have the drive connected as an external drive in another machine so I could scan it with RootRepeal because it kept locking up no matter what RootRepeal settings I tried. I find it interesting that MBR.EXE (log posted below) didn't report that there was a rootkit detected on the drive when I ran it when the infected drive was installed in its machine. I also ran DDS on the drive while it was still installed on its machine.

Thank you in advance for whomever helps me with this issue.


SEAN



-----------------------------------------------------------------
DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Taber at 6:23:48.73 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1770 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Taber\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SoundMan] SOUNDMAN.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [WindowsUpdate] c:\windows\system32\windowsupdate\winupdate.exe
dRunOnce: [RunNarrator] Narrator.exe
dExplorerRun: [WindowsUpdate] c:\windows\system32\windowsupdate\winupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138917510575
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182479792484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taber\applic~1\mozilla\firefox\profiles\l3wf8qfd.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2009-11-9 23200]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-9-19 16512]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-13 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-13 30104]
S3 pbfilter;pbfilter;\??\c:\program files\peerblock\pbfilter.sys --> c:\program files\peerblock\pbfilter.sys [?]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2008-3-26 15104]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-01-19 04:26:24 15 ----a-w- C:\settings.dat
2010-01-19 04:26:21 472064 ----a-w- C:\RootRepeal-renamefirst.exe
2010-01-19 04:25:06 293376 ----a-w- C:\5oumdt5w-Gmer-renamefirst.exe
2010-01-19 04:23:23 77312 ----a-w- C:\mbr-rename-runfromcdrive.exe
2010-01-17 01:48:16 0 d-sha-r- C:\cmdcons
2010-01-17 01:07:11 0 d-----w- C:\tmp
2010-01-15 03:51:06 5154304 ----a-w- C:\WindowsDefender.msi
2010-01-15 03:51:03 891248 ----a-w- C:\avg_free_stb_all_9_40_cnet.exe
2010-01-15 03:36:35 0 d-----w- c:\program files\CCleaner
2010-01-14 06:07:04 0 d-----w- C:\$AVG
2010-01-13 23:24:03 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-13 23:24:03 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-13 23:23:58 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-13 15:10:09 0 d-----w- c:\docume~1\taber\applic~1\AVG8
2010-01-07 03:02:25 0 d-----w- c:\windows\Logs
2010-01-06 05:13:41 0 d-----w- c:\program files\Ventrilo
2010-01-06 05:13:36 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-12-25 06:29:21 0 d-----w- c:\windows\system32\WindowsUpdate
2009-12-24 07:29:13 0 d-----w- c:\program files\iDump (Freeware)

==================== Find3M ====================

2009-12-29 22:40:38 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-29 22:37:04 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-10 06:54:07 261632 ----a-w- c:\windows\PEV.exe
2009-12-01 20:57:26 79967 -c--a-w- c:\windows\War3Unin.dat
2009-11-24 03:36:56 24072 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 14:11:34 77312 ----a-w- c:\windows\MBR.exe
2008-08-20 05:15:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 6:24:14.04 ===============





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/19 07:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D7E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D59000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3BC6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 1
Status: Sector mismatch

Path: Volume D:\, Sector 2
Status: Sector mismatch

Path: Volume D:\, Sector 3
Status: Sector mismatch

Path: Volume D:\, Sector 4
Status: Sector mismatch

Path: Volume D:\, Sector 5
Status: Sector mismatch

Path: Volume D:\, Sector 6
Status: Sector mismatch

Path: Volume D:\, Sector 7
Status: Sector mismatch

Path: Volume D:\, Sector 8
Status: Sector mismatch

Path: Volume D:\, Sector 9
Status: Sector mismatch

Path: Volume D:\, Sector 10
Status: Sector mismatch

Path: Volume D:\, Sector 11
Status: Sector mismatch

Path: Volume D:\, Sector 12
Status: Sector mismatch

Path: Volume D:\, Sector 13
Status: Sector mismatch

Path: Volume D:\, Sector 14
Status: Sector mismatch

Path: Volume D:\, Sector 15
Status: Sector mismatch

Path: Volume D:\, Sector 16
Status: Sector mismatch

Path: Volume D:\, Sector 17
Status: Sector mismatch

Path: Volume D:\, Sector 18
Status: Sector mismatch

Path: Volume D:\, Sector 19
Status: Sector mismatch

Path: Volume D:\, Sector 20
Status: Sector mismatch

Path: Volume D:\, Sector 21
Status: Sector mismatch

Path: Volume D:\, Sector 22
Status: Sector mismatch

Path: Volume D:\, Sector 23
Status: Sector mismatch

Path: Volume D:\, Sector 24
Status: Sector mismatch

Path: Volume D:\, Sector 25
Status: Sector mismatch

Path: Volume D:\, Sector 26
Status: Sector mismatch

Path: Volume D:\, Sector 27
Status: Sector mismatch

Path: Volume D:\, Sector 28
Status: Sector mismatch

Path: Volume D:\, Sector 29
Status: Sector mismatch

Path: Volume D:\, Sector 30
Status: Sector mismatch

Path: Volume D:\, Sector 31
Status: Sector mismatch

Path: Volume D:\, Sector 32
Status: Sector mismatch

Path: Volume D:\, Sector 33
Status: Sector mismatch

Path: Volume D:\, Sector 34
Status: Sector mismatch

Path: Volume D:\, Sector 35
Status: Sector mismatch

Path: Volume D:\, Sector 36
Status: Sector mismatch

Path: Volume D:\, Sector 37
Status: Sector mismatch

Path: Volume D:\, Sector 38
Status: Sector mismatch

Path: Volume D:\, Sector 39
Status: Sector mismatch

Path: Volume D:\, Sector 40
Status: Sector mismatch

Path: Volume D:\, Sector 41
Status: Sector mismatch

Path: Volume D:\, Sector 42
Status: Sector mismatch

Path: Volume D:\, Sector 43
Status: Sector mismatch

Path: Volume D:\, Sector 44
Status: Sector mismatch

Path: Volume D:\, Sector 45
Status: Sector mismatch

Path: Volume D:\, Sector 46
Status: Sector mismatch

Path: Volume D:\, Sector 47
Status: Sector mismatch

Path: Volume D:\, Sector 48
Status: Sector mismatch

Path: Volume D:\, Sector 49
Status: Sector mismatch

Path: Volume D:\, Sector 50
Status: Sector mismatch

Path: Volume D:\, Sector 51
Status: Sector mismatch

Path: Volume D:\, Sector 52
Status: Sector mismatch

Path: Volume D:\, Sector 53
Status: Sector mismatch

Path: Volume D:\, Sector 54
Status: Sector mismatch

Path: Volume D:\, Sector 55
Status: Sector mismatch

Path: Volume D:\, Sector 56
Status: Sector mismatch

Path: Volume D:\, Sector 57
Status: Sector mismatch

Path: Volume D:\, Sector 58
Status: Sector mismatch

Path: Volume D:\, Sector 59
Status: Sector mismatch

Path: Volume D:\, Sector 60
Status: Sector mismatch

Path: Volume D:\, Sector 61
Status: Sector mismatch

Path: Volume D:\, Sector 62
Status: Sector mismatch

==EOF==




Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Attached Files



BC AdBot (Login to Remove)

 


#2 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 24 January 2010 - 06:14 PM

Please close this topic. It's so outdated now.

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:49 PM

Posted 25 January 2010 - 09:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. Do you want me to close the topic, or do you still wish help?

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 25 January 2010 - 10:33 PM

I have gone through so many steps to fix this I can't remember all of them now. However, I will do my best to recount my actions taken on this issue over the last 11 days.

About a year ago the owner of this machine bought a new 1TB HD to replace the 80GB HD. Without checking the original drive for infections I cloned the old drive to the new drive, left the old drive in the machine but unattached to the motherboard. Recently the owner handed me the machine saying he was getting virus pop-ups, etc. (Malware Defense infection, but I didn't know that at the time). He said he'd tried uninstalling AVG (free) and re-installing and was having all kinds of issues (Windows Defender was also installed at the time).

I removed the 1TB drive and connected it via USB to another machine and ran AVG scan on it. 3 viruses were found and removed.

I put the 1TB drive back into its original machine and booted it up. Malware Defense screens started popping up. I had a difficult time trying to figure out the startup application that was running after reboot. I ended up uninstalling several suspicious applications and removing their entries from the registry. I used CCleaner several times to clean files and registry. Nothing worked so far. So I went through process of elimination and via MSCONFIG disabled all startup and (non-ms) services. Then adding each item back into the list one at a time and rebooting after each one. Finally, I found Malware Defense (it was so painfully obvious after I realized that it had disguised itself as something legitimate (to me it looked like a hardware scanner app/driver). I manually deleted the startup entry from the registry and found the malware files in the computer user's temp folder and removed them all. Success. However, during my research to rid myself of this malware, I came across this forum via Google searches on the issues I was having, and decided to try several applications ( I ran HiJackThis, ComboFix, and also FIXMBR from the Microsoft Recovery Console)... one of which was RootRepeal.

There are too many other details of stuff I've tried and done... I've tried a Low-Level Format of the 80GB drive and MBR WIPE using DISKMAN4... , F-Secure Blacklight, Microsoft Live OneCare onlie scanner, and most recently Malwarebytes anti-malware (which surprisingly found a removed several more items).

I am at my wits end. I have an Image of the original install of the machine on disc, but it does me no good if the MBR is infected and MBR -t, FIXMBR, etc doesn't fix it. I have all the important data backed up so I don't care if I have to wipe both drives completely and utterly to remove everything so I can start over.

Currently, both drives are installed in the original machine where I just ran OTL.exe and included logs here as requested.

OTL logfile created on: 1/25/2010 6:17:26 PM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\Taber\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 796.09 Gb Free Space | 85.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 74.53 Gb Total Space | 74.45 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TABER
Current User Name: Taber
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/25 18:14:16 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Taber\Desktop\ffdsfsd.exe
PRC - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/12 14:54:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/04/13 16:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/07/21 23:00:10 | 00,081,920 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/01/06 11:47:06 | 00,327,792 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe


========== Modules (SafeList) ==========

MOD - [2010/01/25 18:14:16 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Taber\Desktop\ffdsfsd.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/23 20:31:31 | 00,535,424 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Taber\Local Settings\temp\CENYXUB.exe -- (CENYXUB)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/12 14:54:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/01/06 11:47:06 | 00,327,792 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/01/13 15:24:03 | 00,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2010/01/13 15:24:03 | 00,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/11/12 14:54:00 | 06,188,320 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/16 13:51:56 | 00,022,784 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb)
DRV - [2008/02/27 12:49:00 | 00,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/12/07 21:56:47 | 00,685,816 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/08 20:57:21 | 00,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin)
DRV - [2007/06/18 19:18:26 | 00,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/02/11 01:01:56 | 00,201,984 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2006/02/11 01:01:56 | 00,081,280 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2006/02/11 01:01:56 | 00,028,064 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2005/08/18 17:52:06 | 00,093,568 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/07/26 01:03:22 | 03,644,032 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/13 12:34:02 | 00,414,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2005/04/13 12:32:42 | 00,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2005/04/06 03:22:30 | 00,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 03:22:28 | 00,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/08 22:53:00 | 00,036,352 | R--- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2002/07/17 07:05:10 | 00,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI32)
DRV - [2002/07/17 07:05:10 | 00,016,512 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)
DRV - [2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [1999/06/30 02:49:10 | 00,023,200 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ppsio2.sys -- (ppsio2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1708537768-113007714-682003330-1003\S-1-5-21-1708537768-113007714-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1708537768-113007714-682003330-1003\S-1-5-21-1708537768-113007714-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: es-es@dictionaries.addons.mozilla.org:1.2.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/23 23:25:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/16 15:09:02 | 00,000,000 | ---D | M]

[2008/07/10 11:08:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Taber\Application Data\Mozilla\Extensions
[2010/01/24 14:38:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Taber\Application Data\Mozilla\Firefox\Profiles\l3wf8qfd.default\extensions
[2009/06/23 23:40:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Taber\Application Data\Mozilla\Firefox\Profiles\l3wf8qfd.default\extensions\es-es@dictionaries.addons.mozilla.org
[2010/01/24 14:38:43 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/30 17:35:08 | 00,024,683 | ---- | M] (Ask.com) -- C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
[2005/12/05 21:31:00 | 00,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2008/03/07 17:33:56 | 00,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
[2007/12/04 19:05:02 | 00,086,016 | ---- | M] (SpiralFrog Inc.) -- C:\Program Files\Mozilla Firefox\plugins\NPSFDMGR.dll
[2009/08/05 09:39:00 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: ([2010/01/16 17:54:57 | 00,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [WindowsUpdate] C:\WINDOWS\system32\WindowsUpdate\winupdate.exe (Hunter)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [WindowsUpdate] C:\WINDOWS\system32\WindowsUpdate\winupdate.exe (Hunter)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: WindowsUpdate = C:\WINDOWS\system32\WindowsUpdate\winupdate.exe (Hunter)
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: WindowsUpdate = C:\WINDOWS\system32\WindowsUpdate\winupdate.exe (Hunter)
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools: = 0
O7 - HKU\S-1-5-21-1708537768-113007714-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1708537768-113007714-682003330-1003\..Trusted Domains: 26 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1138917510575 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1182479792484 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Taber\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Taber\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/02 16:45:51 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/25 18:16:42 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Taber\Desktop\ffdsfsd.exe
[2010/01/24 19:12:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/01/24 18:45:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Taber\Application Data\Malwarebytes
[2010/01/24 18:45:11 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/24 18:45:07 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/24 18:45:07 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/24 18:45:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/01/24 14:36:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/01/23 20:31:26 | 00,334,720 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Taber\Desktop\fdsujo.exe
[2010/01/23 16:27:13 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/01/21 21:37:05 | 00,505,432 | ---- | C] (HDDGURU ) -- C:\LLFsetup.2.21.1108.exe
[2010/01/21 20:49:15 | 00,000,000 | ---D | C] -- C:\Program Files\HDDGURU LLF Tool
[2010/01/20 17:42:59 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/19 19:00:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Taber\Application Data\TeraCopy
[2010/01/19 18:59:50 | 00,000,000 | ---D | C] -- C:\Program Files\TeraCopy
[2010/01/19 06:27:22 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Taber\Desktop\RootRepeal-renamefirst.exe
[2010/01/18 20:26:21 | 00,472,064 | ---- | C] ( ) -- C:\rrpl.exe
[2010/01/16 17:48:16 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/16 17:47:13 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/16 17:47:13 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/16 17:47:13 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/16 17:47:13 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/16 17:47:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/16 17:45:09 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/16 17:07:11 | 00,000,000 | ---D | C] -- C:\tmp
[2010/01/16 17:05:34 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Taber\Recent
[2010/01/16 16:44:59 | 00,000,000 | ---D | C] -- C:\Program Files\HiJackThis
[2010/01/14 19:53:20 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/01/14 19:51:03 | 00,891,248 | ---- | C] (AVG Technologies) -- C:\avg_free_stb_all_9_40_cnet.exe
[2010/01/14 19:36:35 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/01/13 22:07:04 | 00,000,000 | ---D | C] -- C:\$AVG
[2010/01/13 15:24:03 | 00,050,968 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2010/01/13 15:24:03 | 00,030,104 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2010/01/13 15:23:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/01/13 15:23:14 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/13 15:23:14 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/13 15:23:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/13 15:23:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/13 07:10:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Taber\Application Data\AVG8
[2010/01/06 19:03:38 | 00,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2010/01/06 19:03:37 | 01,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2010/01/06 19:03:37 | 00,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2010/01/06 19:03:36 | 05,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2010/01/06 19:03:36 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2010/01/06 19:03:36 | 00,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2010/01/06 19:03:35 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2010/01/06 19:03:35 | 01,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2010/01/06 19:03:35 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2010/01/06 19:03:34 | 04,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2010/01/06 19:03:33 | 00,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2010/01/06 19:03:33 | 00,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2010/01/06 19:03:33 | 00,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2010/01/06 19:03:33 | 00,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2010/01/06 19:03:32 | 02,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2010/01/06 19:03:32 | 00,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2010/01/06 19:03:31 | 04,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2010/01/06 19:03:31 | 00,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2010/01/06 19:03:31 | 00,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2010/01/06 19:03:30 | 00,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2010/01/06 19:03:30 | 00,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2010/01/06 19:03:29 | 00,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2010/01/06 19:03:29 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2010/01/06 19:03:29 | 00,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2010/01/06 19:03:28 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2010/01/06 19:03:28 | 01,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2010/01/06 19:03:28 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2010/01/06 19:03:27 | 00,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2010/01/06 19:03:27 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2010/01/06 19:03:27 | 00,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2010/01/06 19:03:26 | 03,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2010/01/06 19:03:26 | 01,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2010/01/06 19:03:26 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2010/01/06 19:03:26 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2010/01/06 19:03:25 | 00,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2010/01/06 19:03:25 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2010/01/06 19:03:24 | 01,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2010/01/06 19:03:24 | 00,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2010/01/06 19:03:24 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2010/01/06 19:03:23 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2010/01/06 19:02:25 | 00,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/01/05 21:13:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Taber\Application Data\Ventrilo
[2010/01/05 21:13:41 | 00,000,000 | ---D | C] -- C:\Program Files\Ventrilo
[2008/03/21 14:17:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2008/03/21 14:17:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2007/11/13 08:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/11/13 08:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2007/11/03 11:11:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/10/08 20:57:21 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Taber\Application Data\pcouffin.sys
[2007/10/04 14:04:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2007/08/16 13:57:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Xfire
[2007/08/10 11:17:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Xfire
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2016/04/11 16:30:01 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{644E7E96-27D6-4F2B-A7D0-33E27AAC419A}.job
[2010/01/25 18:14:16 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Taber\Desktop\ffdsfsd.exe
[2010/01/25 18:05:18 | 00,196,068 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/25 18:05:17 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/25 18:05:12 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/25 18:04:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/25 18:04:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/25 06:48:37 | 13,369,344 | -H-- | M] () -- C:\Documents and Settings\Taber\NTUSER.DAT
[2010/01/24 18:45:14 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/24 14:41:00 | 00,000,659 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/24 14:41:00 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/24 14:41:00 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/24 01:40:34 | 04,317,956 | -H-- | M] () -- C:\Documents and Settings\Taber\Local Settings\Application Data\IconCache.db
[2010/01/23 16:55:28 | 00,077,312 | ---- | M] () -- C:\m0b0r1.exe
[2010/01/23 16:27:48 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Taber\ntuser.ini
[2010/01/21 20:49:15 | 00,000,663 | ---- | M] () -- C:\Documents and Settings\Taber\Desktop\Hard Disk Low Level Format Tool.lnk
[2010/01/20 22:38:36 | 00,505,432 | ---- | M] (HDDGURU ) -- C:\LLFsetup.2.21.1108.exe
[2010/01/20 17:44:29 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Taber\Desktop\settings.dat
[2010/01/19 00:27:02 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Taber\Desktop\dds.scr
[2010/01/18 20:56:24 | 00,293,376 | ---- | M] () -- C:\5oumdt5w-Gmer-renamefirst.exe
[2010/01/18 20:55:44 | 00,077,312 | ---- | M] () -- C:\mbr-rename-runfromcdrive.exe
[2010/01/18 20:30:27 | 00,000,015 | ---- | M] () -- C:\settings.dat
[2010/01/16 17:54:57 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/16 17:41:04 | 03,827,053 | R--- | M] () -- C:\Documents and Settings\Taber\Desktop\scoolllness.exe
[2010/01/16 16:58:55 | 00,520,908 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/16 16:58:55 | 00,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/16 16:58:55 | 00,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/16 16:29:15 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2010/01/14 19:50:00 | 05,154,304 | ---- | M] () -- C:\WindowsDefender.msi
[2010/01/14 19:45:20 | 00,891,248 | ---- | M] (AVG Technologies) -- C:\avg_free_stb_all_9_40_cnet.exe
[2010/01/13 15:24:03 | 00,050,968 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2010/01/13 15:24:03 | 00,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2010/01/12 15:54:11 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/11 22:49:07 | 00,000,016 | ---- | M] () -- C:\Documents and Settings\Taber\Desktop\WarcraftIIIAutoRefresh_Config.dat
[2010/01/11 09:30:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/09 01:08:00 | 00,041,984 | ---- | M] () -- C:\Documents and Settings\Taber\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 19:51:22 | 00,001,620 | ---- | M] () -- C:\Documents and Settings\Taber\Desktop\Call of Duty Modern Warfare 2.lnk
[2010/01/06 19:51:22 | 00,001,620 | ---- | M] () -- C:\Documents and Settings\Taber\Desktop\Call of Duty Modern Warfare 2 - Multiplayer.lnk
[2010/01/05 21:13:43 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2010/01/05 21:13:43 | 00,000,262 | ---- | M] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/02 15:42:14 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Taber\My Documents\Extended Response book 3.doc
[2009/12/29 14:40:38 | 00,215,104 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2009/12/29 14:40:38 | 00,215,104 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2009/12/29 14:37:04 | 00,138,576 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/24 18:45:14 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/24 14:36:36 | 00,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/01/23 16:11:25 | 00,077,312 | ---- | C] () -- C:\m0b0r1.exe
[2010/01/21 20:49:15 | 00,000,663 | ---- | C] () -- C:\Documents and Settings\Taber\Desktop\Hard Disk Low Level Format Tool.lnk
[2010/01/19 06:27:27 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Taber\Desktop\settings.dat
[2010/01/19 06:23:45 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Taber\Desktop\dds.scr
[2010/01/18 20:26:24 | 00,000,015 | ---- | C] () -- C:\settings.dat
[2010/01/18 20:25:06 | 00,293,376 | ---- | C] () -- C:\5oumdt5w-Gmer-renamefirst.exe
[2010/01/18 20:23:23 | 00,077,312 | ---- | C] () -- C:\mbr-rename-runfromcdrive.exe
[2010/01/16 17:48:18 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/16 17:47:58 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2010/01/16 17:47:13 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/16 17:47:13 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/16 17:47:13 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/16 17:47:13 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/16 17:47:13 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/16 17:44:51 | 03,827,053 | R--- | C] () -- C:\Documents and Settings\Taber\Desktop\scoolllness.exe
[2010/01/14 19:51:06 | 05,154,304 | ---- | C] () -- C:\WindowsDefender.msi
[2010/01/12 15:54:11 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/06 19:51:22 | 00,001,620 | ---- | C] () -- C:\Documents and Settings\Taber\Desktop\Call of Duty Modern Warfare 2.lnk
[2010/01/06 19:51:22 | 00,001,620 | ---- | C] () -- C:\Documents and Settings\Taber\Desktop\Call of Duty Modern Warfare 2 - Multiplayer.lnk
[2010/01/05 21:13:43 | 00,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2010/01/05 21:13:36 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/02 15:42:14 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Taber\My Documents\Extended Response book 3.doc
[2009/11/09 20:12:07 | 00,023,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\ppsio2.sys
[2009/11/09 20:11:40 | 00,001,042 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/11/09 20:11:40 | 00,000,090 | ---- | C] () -- C:\WINDOWS\calera.ini
[2009/11/09 20:11:36 | 00,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
[2009/11/09 20:11:36 | 00,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
[2009/11/09 20:11:36 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
[2009/11/09 20:11:23 | 00,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
[2009/09/27 22:06:26 | 00,074,368 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/24 14:55:22 | 00,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/10/21 14:09:42 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/10/21 14:09:42 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/10/08 16:47:12 | 00,042,320 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/09/02 13:42:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/08/23 12:01:36 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/03/18 19:22:13 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Taber\Local Settings\Application Data\fusioncache.dat
[2007/12/25 11:25:39 | 00,138,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/12/25 11:25:39 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Taber\Application Data\PnkBstrK.sys
[2007/12/07 22:16:15 | 00,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2007/12/07 21:56:45 | 00,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/10/08 20:57:25 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Taber\Application Data\pcouffin.log
[2007/10/08 20:57:21 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Taber\Application Data\pcouffin.cat
[2007/10/08 20:57:21 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Taber\Application Data\pcouffin.inf
[2007/10/08 20:46:22 | 00,001,778 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/20 20:03:52 | 00,000,067 | ---- | C] () -- C:\WINDOWS\#1 DVD Ripper.INI
[2007/07/02 18:15:26 | 00,041,984 | ---- | C] () -- C:\Documents and Settings\Taber\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/02 17:19:20 | 00,000,044 | ---- | C] () -- C:\WINDOWS\photofantasy.ini
[2007/07/02 17:19:20 | 00,000,029 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2007/07/02 17:19:19 | 00,000,113 | ---- | C] () -- C:\WINDOWS\photoimpression.ini
[2007/07/02 17:19:13 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2006/02/11 01:01:56 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll
[2006/02/02 17:00:26 | 00,156,672 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/02/02 16:55:52 | 00,000,258 | ---- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2005/12/10 03:06:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 03:06:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 03:06:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 03:06:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 03:06:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 03:06:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
< End of report >






OTL Extras logfile created on: 1/25/2010 6:17:26 PM - Run 1
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Documents and Settings\Taber\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 796.09 Gb Free Space | 85.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 74.53 Gb Total Space | 74.45 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TABER
Current User Name: Taber
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"6112:TCP" = 6112:TCP:*:Enabled:battlenet
"6113:TCP" = 6113:TCP:*:Enabled:battlenet2
"6114:TCP" = 6114:TCP:*:Enabled:battlenet3
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Steam\SteamApps\si_lenc3\counter-strike source\hl2.exe" = C:\Program Files\Steam\SteamApps\si_lenc3\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Steam\SteamApps\coinslot2\counter-strike source\hl2.exe" = C:\Program Files\Steam\SteamApps\coinslot2\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Steam\SteamApps\dunktank\counter-strike source\hl2.exe" = C:\Program Files\Steam\SteamApps\dunktank\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Steam\SteamApps\dunktank\team fortress 2\hl2.exe" = C:\Program Files\Steam\SteamApps\dunktank\team fortress 2\hl2.exe:*:Disabled:hl2 -- ()
"C:\Program Files\Steam\steam.exe" = C:\Program Files\Steam\steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"C:\Program Files\Steam\SteamApps\lanpartytc\team fortress 2\hl2.exe" = C:\Program Files\Steam\SteamApps\lanpartytc\team fortress 2\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Steam\SteamApps\lanpartytc\source sdk base\hl2.exe" = C:\Program Files\Steam\SteamApps\lanpartytc\source sdk base\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Warcraft III\Frozen Throne.exe" = C:\Program Files\Warcraft III\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne -- (Blizzard Entertainment)
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Steam\SteamApps\si_lenc3\half-life 2\hl2.exe" = C:\Program Files\Steam\SteamApps\si_lenc3\half-life 2\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Steam\SteamApps\si_lenc3\source sdk base\hl2.exe" = C:\Program Files\Steam\SteamApps\si_lenc3\source sdk base\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Steam\SteamApps\lanpartytc\day of defeat source\hl2.exe" = C:\Program Files\Steam\SteamApps\lanpartytc\day of defeat source\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe" = C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice -- (Microsoft Corporation)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Steam\SteamApps\lanpartytc\half-life\hl.exe" = C:\Program Files\Steam\SteamApps\lanpartytc\half-life\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Steam\SteamApps\common\left 4 dead\left4dead.exe" = C:\Program Files\Steam\SteamApps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Steam\SteamApps\common\call of duty modern warfare 2\iw4sp.exe" = C:\Program Files\Steam\SteamApps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2 -- ()
"C:\Program Files\Steam\SteamApps\common\call of duty modern warfare 2\iw4mp.exe" = C:\Program Files\Steam\SteamApps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 15
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{5511D34C-323F-42E0-8C82-0AEB3E920417}" = Diskeeper Professional Edition
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Patch
"{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D7A6C517-11F2-419F-B5BB-27772B939698}" = NvMixer
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"AviSynth" = AviSynth 2.5
"AVS DVD Copy_is1" = AVS DVD Copy version 3.1
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"Belarc Advisor" = Belarc Advisor 7.2
"CCleaner" = CCleaner
"FLV Player" = FLV Player 2.0 (build 25)
"Free Audio Dub_is1" = Free Audio Dub version 1.4
"Free Studio_is1" = Free Studio version 4.2
"Free Video Flip and Rotate_is1" = Free Video Flip and Rotate version 1.4
"Free Video to Mp3 Converter_is1" = Free Video to Mp3 Converter version 3.1
"Free YouTube to iPod Converter_is1" = Free YouTube to iPod Converter version 3.1
"Hard Disk Low Level Format Tool_is1" = Hard Disk Low Level Format Tool 2.21 build 1108
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8 Beta 2
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"InstallShield_{2FB399BA-E790-4EAE-A82A-37A1B36C2783}" = Enemy Territory - QUAKE Wars™ Beta 2 1.1 Patch
"InstallShield_{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"InstallShield_{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PaperPort 7.0" = PaperPort 7.0
"PopCap Browser Plugin" = PopCap Browser Plugin
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 15100" = Assassin's Creed
"Steam App 215" = Source SDK Base
"Steam App 240" = Counter-Strike: Source
"Steam App 380" = Half-Life 2: Episode One
"Steam App 400" = Portal
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 500" = Left 4 Dead
"Steam App 70" = Half-Life
"Steam™" = Steam™
"Uninstall_is1" = Uninstall 1.0.0.1
"Visioneer 8600 Scanner, OneTouch V2.2" = Visioneer 8600 Scanner, OneTouch V2.2
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1708537768-113007714-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/27/2009 3:46:22 AM | Computer Name = TABER | Source = Application Error | ID = 1000
Description = Faulting application hl2.exe, version 0.0.0.0, faulting module vstdlib.dll,
version 0.0.0.0, fault address 0x00001432.

Error - 12/27/2009 3:46:24 AM | Computer Name = TABER | Source = Application Error | ID = 1001
Description = Fault bucket 523740930.

Error - 1/12/2010 4:27:02 AM | Computer Name = TABER | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.6.0, faulting module libvlc.dll,
version 0.0.0.0, fault address 0x0003f7fb.

Error - 1/13/2010 11:07:25 AM | Computer Name = TABER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18241, faulting
module unknown, version 0.0.0.0, fault address 0x00df27a8.

Error - 1/13/2010 7:14:32 PM | Computer Name = TABER | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 1/13/2010 7:15:23 PM | Computer Name = TABER | Source = Application Hang | ID = 1002
Description = Hanging application uninstall.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/13/2010 7:15:25 PM | Computer Name = TABER | Source = Application Hang | ID = 1001
Description = Fault bucket 02932025.

Error - 1/16/2010 1:46:54 AM | Computer Name = TABER | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/16/2010 1:50:20 AM | Computer Name = TABER | Source = MsiInstaller | ID = 11316
Description = Product: Windows Defender -- Error 1316. A network error occurred
while attempting to read from the file: C:\WindowsDefender[1].msi

Error - 1/16/2010 6:35:48 AM | Computer Name = TABER | Source = MsiInstaller | ID = 11722
Description = Product: Java™ 6 Update 12 -- Error 1722.There is a problem with
this Windows Installer package. A program run as part of the setup did not finish
as expected. Contact your support personnel or package vendor. Action FilesInUseDialog,
location: C:\WINDOWS\Installer\MSI4C.tmp, command: C:\Program Files\Java\jre6\

[ System Events ]
Error - 1/23/2010 8:30:08 PM | Computer Name = TABER | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/23/2010 9:25:19 PM | Computer Name = TABER | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 1/24/2010 4:02:10 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7034
Description = The CENYXUB service terminated unexpectedly. It has done this 1 time(s).

Error - 1/24/2010 5:12:14 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 1/24/2010 5:31:39 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 1/24/2010 5:41:35 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 1/24/2010 11:01:14 PM | Computer Name = TABER | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 1/25/2010 4:39:44 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 1/25/2010 4:39:45 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
atapi PCIIde

Error - 1/25/2010 4:48:39 AM | Computer Name = TABER | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2


< End of report >


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:49 PM

Posted 26 January 2010 - 01:50 AM

Hi,

what makes you think that you are infected besides RootRepeal telling you so? Do you have any symptoms? fixmbr will overwrite MBR, there is little chance that the infection could have protected from it.

Please provide the old ComboFix logs and a new log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

Edited by myrti, 26 January 2010 - 01:51 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 27 January 2010 - 12:49 AM

QUOTE(myrti @ Jan 25 2010, 10:50 PM) View Post
what makes you think that you are infected besides RootRepeal telling you so? Do you have any symptoms? fixmbr will overwrite MBR, there is little chance that the infection could have protected from it.


That's why I'm still concerned about this issue... because RootRepeal says infected, and I'm wondering whether or not RootRepeal is accurate or not. I'm not seeing any syptoms besides RootRepeal's results. fixmbr didn't seem to fix RootRepeal's report either... so I am suspicous about both RootRepeal and whether or not the rootkit is gone.


ComboFix 10-01-16.02 - Taber 01/16/2010 17:50:24.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1694 [GMT -8:00]
Running from: c:\documents and settings\Taber\Desktop\scoolllness.exe [ED: renamed from ComboFix.exe]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Taber\Application Data\inst.exe
c:\documents and settings\Taber\Application Data\rhc728j0erbp
c:\documents and settings\Taber\Application Data\shc528j0erbp
c:\documents and settings\Taber\Application Data\ShoppingReport
c:\documents and settings\Taber\Application Data\ShoppingReport\cs\Config.xml
c:\recycler\S-1-5-21-583907252-789336058-1343024091-1003
C:\SUD
c:\sud\SSOW\DesKTop.ini
c:\windows\system32\clbinit.dll
c:\windows\system32\H8SRTbretlbbowp.dat
c:\windows\system32\H8SRTdmqvnsitym.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTqgvpylllov.dll
c:\windows\system32\H8SRTrubadplale.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTtfmqhymyqv.dll
c:\windows\system32\SIntf16.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_H8SRTd.sys
-------\Service_clbdriver
-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 01:07 . 2010-01-17 01:07 -------- d-----w- C:\tmp
2010-01-15 03:55 . 2010-01-15 03:55 -------- d-sh--w- c:\documents and settings\Administrator.TABER.000\PrivacIE
2010-01-15 03:54 . 2010-01-15 03:54 -------- d-----w- c:\documents and settings\Administrator.TABER.000\Application Data\AVG8
2010-01-15 03:51 . 2010-01-15 03:50 5154304 ----a-w- C:\WindowsDefender.msi
2010-01-15 03:51 . 2010-01-15 03:45 891248 ----a-w- C:\avg_free_stb_all_9_40_cnet.exe
2010-01-15 03:36 . 2010-01-15 03:36 -------- d-----w- c:\program files\CCleaner
2010-01-14 06:07 . 2010-01-14 06:07 -------- d-----w- C:\$AVG
2010-01-13 23:24 . 2010-01-13 23:24 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-13 23:24 . 2010-01-13 23:24 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-13 23:23 . 2010-01-16 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-13 15:10 . 2010-01-13 15:10 -------- d-----w- c:\documents and settings\Taber\Application Data\AVG8
2010-01-07 03:02 . 2010-01-07 03:02 -------- d-----w- c:\windows\Logs
2010-01-06 05:13 . 2010-01-06 05:15 -------- d-----w- c:\documents and settings\Taber\Application Data\Ventrilo
2010-01-06 05:13 . 2010-01-06 05:13 -------- d-----w- c:\program files\Ventrilo
2009-12-25 06:29 . 2009-12-26 07:35 -------- d-----w- c:\windows\system32\WindowsUpdate
2009-12-24 07:29 . 2009-12-24 07:35 -------- d-----w- c:\program files\iDump (Freeware)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-12 00:00 . 2009-09-13 06:27 -------- d-----w- c:\program files\MSECACHE
2010-01-16 10:35 . 2007-06-23 05:17 -------- d-----w- c:\program files\Java
2010-01-16 05:53 . 2009-11-28 03:48 -------- d-----w- c:\program files\Accessdiver
2010-01-16 05:43 . 2008-07-01 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-13 02:19 . 2008-10-25 19:45 -------- d-----w- c:\documents and settings\Taber\Application Data\BitTorrent
2010-01-12 07:16 . 2007-09-20 04:35 -------- d-----w- c:\documents and settings\Taber\Application Data\dvdcss
2010-01-12 06:46 . 2007-06-29 18:49 -------- d-----w- c:\program files\Warcraft III
2010-01-10 03:46 . 2006-02-03 19:04 -------- d-----w- c:\program files\Steam
2010-01-06 05:13 . 2008-12-25 19:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-29 22:40 . 2007-12-25 19:25 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-29 22:37 . 2007-12-25 19:25 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-22 09:38 . 2008-09-16 23:07 -------- d-----w- c:\documents and settings\Taber\Application Data\mIRC
2009-12-22 09:36 . 2009-11-24 22:52 -------- d-----w- c:\program files\mIRC
2009-12-22 07:27 . 2008-08-27 05:17 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-12-01 20:57 . 2007-06-29 18:52 79967 -c--a-w- c:\windows\War3Unin.dat
2009-11-28 08:48 . 2009-03-18 00:55 -------- d-----w- c:\program files\iTunes
2009-11-28 08:47 . 2009-03-18 00:55 -------- d-----w- c:\program files\iPod
2009-11-28 08:47 . 2007-07-10 08:16 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 08:45 . 2009-11-28 08:44 -------- d-----w- c:\program files\QuickTime
2009-11-28 08:41 . 2009-11-28 08:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-25 23:00 . 2007-06-23 04:37 -------- d-----w- c:\documents and settings\Taber\Application Data\Apple Computer
2009-11-25 22:50 . 2007-07-10 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-24 03:36 . 2009-09-14 05:31 24072 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-22 04:51 . 2009-11-21 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\RFYZLGDBYG
2009-11-22 04:33 . 2009-11-21 22:02 -------- d-----w- c:\program files\BadgeHelp
2009-11-22 03:50 . 2009-11-22 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-22 03:47 . 2006-02-02 23:11 23272 ----a-w- c:\documents and settings\Taber\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:51 . 2001-08-23 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-03 04:42 . 2009-10-04 21:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-12-06 167368]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-09-06 40960]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 1630208]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2000-06-19 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"WindowsUpdate"="c:\windows\system32\WindowsUpdate\winupdate.exe" [2006-01-28 548864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"WindowsUpdate"="c:\windows\system32\WindowsUpdate\winupdate.exe" [2006-01-28 548864]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\si_lenc3\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\coinslot2\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\dunktank\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\dunktank\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lanpartytc\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lanpartytc\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\SteamApps\\si_lenc3\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\si_lenc3\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lanpartytc\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\assassins creed\\AssassinsCreed_Game.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lanpartytc\\half-life\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:battlenet
"6113:TCP"= 6113:TCP:battlenet2
"6114:TCP"= 6114:TCP:battlenet3

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/7/2007 9:56 PM 685816]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/9/2009 8:12 PM 23200]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [9/19/2007 8:33 PM 16512]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/13/2010 3:24 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/13/2010 3:24 PM 30104]
S3 pbfilter;pbfilter;\??\c:\program files\PeerBlock\pbfilter.sys --> c:\program files\PeerBlock\pbfilter.sys [?]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [3/26/2008 8:18 PM 15104]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2016-04-12 c:\windows\Tasks\User_Feed_Synchronization-{644E7E96-27D6-4F2B-A7D0-33E27AAC419A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Taber\Application Data\Mozilla\Firefox\Profiles\l3wf8qfd.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112} - c:\sud\SSOW\sep.exe
AddRemove-HijackThis - C:\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 17:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5C81E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba67dcb8
\Driver\atapi -> atapi.sys @ 0xba612b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xba4f1bb0
PacketIndicateHandler -> NDIS.sys @ 0xba4fea21
SendHandler -> NDIS.sys @ 0xba4dc87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-113007714-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c6,85,f5,69,a7,78,c9,9a,35,11,8a,3d,48,92,72,cb,e7,75,4e,d3,87,b1,b0,
54,1b,1a,42,6f,8e,5f,27,e0,a1,c8,cd,7f,4c,47,91,27,df,c8,a7,03,e2,80,69,69,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1708537768-113007714-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:18,8b,4d,50,8d,1c,b6,9a,31,0e,85,6e,2f,59,c0,00,b5,f5,19,ba,ed,
ec,26,be,1d,d4,d5,3a,d5,6c,13,ea,7b,fc,39,1b,b5,c3,d6,9a,6e,db,59,b5,57,8f,\
"rkeysecu"=hex:83,df,42,aa,eb,2a,1c,28,8d,2d,95,79,a5,08,d7,6f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2172)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-16 17:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 01:58

Pre-Run: 854,152,871,936 bytes free
Post-Run: 854,354,747,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=,1,2,3
- - End Of File - - 19E316695D1587E4D4B9AB73BE600C24









GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-26 21:15:50
Windows 5.1.2600 Service Pack 3
Running: uriioe.exe.exe; Driver: C:\DOCUME~1\Taber\LOCALS~1\Temp\kxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9E008AC 5 Bytes JMP 8A2DA1C8
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xBA9C1A0C]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB95C9360, 0x34CDBF, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5C71E8
Device \FileSystem\Fastfat \FatCdrom 893E71E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B668C252-F182-43D5-9856-D6593022F8F2} 893D81E8
Device \Driver\usbohci \Device\USBPDO-0 8A3961E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5C91E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5C91E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5C91E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5C91E8
Device \Driver\nvata \Device\00000070 8A5C81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A55D1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A55D1E8
Device \Driver\Cdrom \Device\CdRom0 8A2C41E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 893D81E8
Device \Driver\USBSTOR \Device\00000077 893B91E8
Device \Driver\USBSTOR \Device\00000079 893B91E8
Device \Driver\NetBT \Device\NetbiosSmb 893D81E8
Device \Driver\usbohci \Device\USBFDO-0 8A3961E8
Device \Driver\nvata \Device\0000006d 8A5C81E8
Device \Driver\nvata \Device\NvAta0 8A5C81E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 893BE1E8
Device \Driver\nvata \Device\NvAta1 8A5C81E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 893BE1E8
Device \Driver\nvata \Device\0000006f 8A5C81E8
Device \Driver\nvata \Device\NvAta2 8A5C81E8
Device \Driver\Ftdisk \Device\FtControl 8A55D1E8
Device \FileSystem\Fastfat \Fat 893E71E8
Device \FileSystem\Cdfs \Cdfs 893F31E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0C 0x0D 0x71 0x37 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0C 0x0D 0x71 0x37 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDB 0x3A 0xFA 0xC2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x9F 0xAF 0x78 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD8 0xFB 0xA3 0x11 ...

---- EOF - GMER 1.0.15 ----


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:49 PM

Posted 29 January 2010 - 09:25 AM

Hi,

the MBR Rootkit is detected in the D: drive, according to your OTL log there is no D: drive, this is what is confusing me right now. Could you please provide a new log from RootRepeal so I can see what is still being detected.

In general an infection that launches itself from MBR (which is what a MBR rootkit does) can only execute itself if you boot from the hard disk. So if you use the infected drive as a data-disk there are no risks. Please also note that fixmbr, mbr -f will only work on the booted disk and not on the MBR of a secondary disk.

Have you don fixmbr on both disks? (Assuming there is a working XP install on both disks) Do you use any kind of encryption software that may have altered the MBR and hence produce a false positive?

On the same install you ran ComboFix, please run defogger:
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Followed by mbr:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 29 January 2010 - 04:53 PM

QUOTE(myrti @ Jan 29 2010, 06:25 AM) View Post
the MBR Rootkit is detected in the D: drive, according to your OTL log there is no D: drive, this is what is confusing me right now. Could you please provide a new log from RootRepeal so I can see what is still being detected.


Drive D: was the original drive (80GB) that I cloned to the 1TB drive last year. I only recently added the drive as a secondary drive to try to this machine, since I'd already wiped it and ran DISKMAN4 MBR WIPE... but when I used RootRepeal on that drive from another machine it still says rootkit detected. However, I have not tried booting from that disk and running fixmbr. So, now I will consider that a separate issue for this entire post and just concentrate on the primary drive (1TB) that belongs in this machine. Side note... I will reinstall XP on the 80GB drive and run FIXMBR and then rootrepeal and if rootrepeal still reports rootkit, i will create a separate ticket/forum post for that issue.

Now, you wanted me to run RootRepeal (RR) on the primary drive (1TB) again. I can do that, but RR locks up the machine. So the only way I can do that is USB connect the drive to another machine and run RR on it and post the results. Unless you have additional tips for that. I will do that later. Maybe you'll have another response for me before then. After that, I will continue on with the further instructions you provided and report back.

#9 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 31 January 2010 - 04:36 AM

QUOTE(myrti @ Jan 29 2010, 06:25 AM) View Post
the MBR Rootkit is detected in the D: drive, according to your OTL log there is no D: drive, this is what is confusing me right now. Could you please provide a new log from RootRepeal so I can see what is still being detected.


Ok, I figured out what you meant by drive D:. I have included the latest RootRepeal report below. It reads as drive D: because I had to connect the drive via USB to another machine. On that machine the 1TB drive is assigned as drive D:. I scanned the drive (D:) with RootRepeal.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/31 01:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D7E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DDD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2E78000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 1
Status: Sector mismatch

Path: Volume D:\, Sector 2
Status: Sector mismatch

Path: Volume D:\, Sector 3
Status: Sector mismatch

Path: Volume D:\, Sector 4
Status: Sector mismatch

Path: Volume D:\, Sector 5
Status: Sector mismatch

Path: Volume D:\, Sector 6
Status: Sector mismatch

Path: Volume D:\, Sector 7
Status: Sector mismatch

Path: Volume D:\, Sector 8
Status: Sector mismatch

Path: Volume D:\, Sector 9
Status: Sector mismatch

Path: Volume D:\, Sector 10
Status: Sector mismatch

Path: Volume D:\, Sector 11
Status: Sector mismatch

Path: Volume D:\, Sector 12
Status: Sector mismatch

Path: Volume D:\, Sector 13
Status: Sector mismatch

Path: Volume D:\, Sector 14
Status: Sector mismatch

Path: Volume D:\, Sector 15
Status: Sector mismatch

Path: Volume D:\, Sector 16
Status: Sector mismatch

Path: Volume D:\, Sector 17
Status: Sector mismatch

Path: Volume D:\, Sector 18
Status: Sector mismatch

Path: Volume D:\, Sector 19
Status: Sector mismatch

Path: Volume D:\, Sector 20
Status: Sector mismatch

Path: Volume D:\, Sector 21
Status: Sector mismatch

Path: Volume D:\, Sector 22
Status: Sector mismatch

Path: Volume D:\, Sector 23
Status: Sector mismatch

Path: Volume D:\, Sector 24
Status: Sector mismatch

Path: Volume D:\, Sector 25
Status: Sector mismatch

Path: Volume D:\, Sector 26
Status: Sector mismatch

Path: Volume D:\, Sector 27
Status: Sector mismatch

Path: Volume D:\, Sector 28
Status: Sector mismatch

Path: Volume D:\, Sector 29
Status: Sector mismatch

Path: Volume D:\, Sector 30
Status: Sector mismatch

Path: Volume D:\, Sector 31
Status: Sector mismatch

Path: Volume D:\, Sector 32
Status: Sector mismatch

Path: Volume D:\, Sector 33
Status: Sector mismatch

Path: Volume D:\, Sector 34
Status: Sector mismatch

Path: Volume D:\, Sector 35
Status: Sector mismatch

Path: Volume D:\, Sector 36
Status: Sector mismatch

Path: Volume D:\, Sector 37
Status: Sector mismatch

Path: Volume D:\, Sector 38
Status: Sector mismatch

Path: Volume D:\, Sector 39
Status: Sector mismatch

Path: Volume D:\, Sector 40
Status: Sector mismatch

Path: Volume D:\, Sector 41
Status: Sector mismatch

Path: Volume D:\, Sector 42
Status: Sector mismatch

Path: Volume D:\, Sector 43
Status: Sector mismatch

Path: Volume D:\, Sector 44
Status: Sector mismatch

Path: Volume D:\, Sector 45
Status: Sector mismatch

Path: Volume D:\, Sector 46
Status: Sector mismatch

Path: Volume D:\, Sector 47
Status: Sector mismatch

Path: Volume D:\, Sector 48
Status: Sector mismatch

Path: Volume D:\, Sector 49
Status: Sector mismatch

Path: Volume D:\, Sector 50
Status: Sector mismatch

Path: Volume D:\, Sector 51
Status: Sector mismatch

Path: Volume D:\, Sector 52
Status: Sector mismatch

Path: Volume D:\, Sector 53
Status: Sector mismatch

Path: Volume D:\, Sector 54
Status: Sector mismatch

Path: Volume D:\, Sector 55
Status: Sector mismatch

Path: Volume D:\, Sector 56
Status: Sector mismatch

Path: Volume D:\, Sector 57
Status: Sector mismatch

Path: Volume D:\, Sector 58
Status: Sector mismatch

Path: Volume D:\, Sector 59
Status: Sector mismatch

Path: Volume D:\, Sector 60
Status: Sector mismatch

Path: Volume D:\, Sector 61
Status: Sector mismatch

Path: Volume D:\, Sector 62
Status: Sector mismatch

==EOF==


Other reports as instructed will follow later when I have more time to spend on it than what I have at the moment. Thank you.

#10 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 31 January 2010 - 11:06 AM

QUOTE(myrti @ Jan 29 2010, 06:25 AM) View Post
Do you use any kind of encryption software that may have altered the MBR and hence produce a false positive?



No encryption software has ever been used as far as I'm aware.


QUOTE(myrti @ Jan 29 2010, 06:25 AM) View Post
On the same install you ran ComboFix, please run defogger:
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Followed by mbr:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti




Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
kernel: MBR read successfully
user & kernel MBR OK



Thank you. What's next?

#11 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 04 February 2010 - 12:19 PM

Any chance I can get an update on this issue before it's automatically closed? All assistance is greatly appreciated. Thank you.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:49 PM

Posted 05 February 2010 - 07:20 AM

Hi,

very sorry about the delay! Just to reassure: The topics aren't closed automatically, I am the one that will close this topic, once we are done and I won't close the topic when you are still waiting for replies.

Did you run mbr.exe -t on the windows installation that is present on the TB-drive or did you run mbr.exe -t with the 1TB drive attached as USB?
Could you please check if the Windows installation on the TB-drive has a folder C:\documents and settings\helpassistant or the file C:\windows\system32\termsvr32.dll

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 05 February 2010 - 11:42 AM

QUOTE(myrti @ Feb 5 2010, 04:20 AM) View Post
Hi,

very sorry about the delay! Just to reassure: The topics aren't closed automatically, I am the one that will close this topic, once we are done and I won't close the topic when you are still waiting for replies.


Very informative. Thank you.

QUOTE(myrti @ Feb 5 2010, 04:20 AM) View Post
Did you run mbr.exe -t on the windows installation that is present on the TB-drive or did you run mbr.exe -t with the 1TB drive attached as USB?
Could you please check if the Windows installation on the TB-drive has a folder C:\documents and settings\helpassistant or the file C:\windows\system32\termsvr32.dll



Yes, I did run mbr.exe -t on the windows installation that is present on the TB-drive while booted into windows on the TB-drive.

The only tool I ran recently on the TB-drive while not booted into its windows installation was RootRepeal.exe. Everything else I ran on the TB-drive while booted into windows on the TB-drive.

However, on that same windows installation on the TB-drive there is not a folder C:\documents and settings\helpassistant or the file C:\windows\system32\termsvr32.dll.

What's next?

Thank you,
SEAN

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:49 PM

Posted 05 February 2010 - 11:59 AM

Hi,

MBR infections are hard to detect, but can be easily cleaned by a fixmbr or mbr.exe -f. But you've done both with no effect and you are not seeing any other signs of infection.

The folder and file I asked about will frequently show with a mbr rootkit infection. Since they are not present and no other tool is picking up on a mbr rootkit infection, I suspect that it is a false positive from rootrepeal.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 SEANerDotNET

SEANerDotNET
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 05 February 2010 - 12:21 PM

QUOTE(myrti @ Feb 5 2010, 08:59 AM) View Post
Hi,

MBR infections are hard to detect, but can be easily cleaned by a fixmbr or mbr.exe -f. But you've done both with no effect and you are not seeing any other signs of infection.

The folder and file I asked about will frequently show with a mbr rootkit infection. Since they are not present and no other tool is picking up on a mbr rootkit infection, I suspect that it is a false positive from rootrepeal.

regards myrti



Now, when you say I ran fixmbr on that drive, I'm assuming that's what ComboFix did on its own... I didn't manually do it on the TB-drive. I ran fixmbr it on the 80GB drive as a test to see if it would work. Maybe I'm confusing myself now. So much time has passed since before I started this threat. I don't actually recall doing mbr.exe -f on that drive. I would like to try those two things as a final step to resolving this issue... what do you recommend I do next?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users