Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible remnants of Winfixer or Vundo attack


  • This topic is locked This topic is locked
16 replies to this topic

#1 Ken Wald

Ken Wald

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 22 January 2010 - 01:31 PM

About a month ago, the computer started getting bogus alerts that the system was infected by malware, and that I should click on them to by software to clean it up. The network connection was disabled, and I wasn't able to launch any other software. Attempting to boot into Safe Mode would result in the BSOD. I managed to clean up the bulk of the problem using Malwarebytes and SuperAntiSpyware.

I've been able to use the system, but occasionally Google search links take me to ads or search sites. When using Firefox, new tabs open up with ads. Trying to boot into Safe Mode still results in BSOD, and a couple days ago, the computer started randomly rebooting itself.


When the system decides to reboot itself, it reports this message:

"Windows must now restart because the DCOMServer Process Launcher service terminated unexpectedly."


After the reboot and logging back into Windows, it reports this message:

"Data Execution Prevention
To help protect your computer, Windows has closed this program
Name: Generic Host Process for Win32 Services"

and then asks if I want to send a report.


When I run dds.scr, the window that opens up says it doesn't support my OS (Widows Server 2003 SP2), so I've included a log generated by Hijack This.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:56 PM, on 1/21/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Server\sched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AMCC\3DM2\3dm2.exe
C:\Program Files\Avira\AntiVir Server\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Server\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MacDrive application] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [Getting started with MacDrive] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Server\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: WinAVAlarm.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
O15 - ESC Trusted Zone: http://jp-nii01.mozilla.org
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optimus.com
O17 - HKLM\Software\..\Telephony: DomainName = optimus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{947820E0-880F-4E27-AB8D-6F60083F7D79}: NameServer = 192.168.161.227,192.168.161.228
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = optimus.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = optimus.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMCC 3DM2 (3DM2) - AMCC - C:\Program Files\AMCC\3DM2/3dm2.exe
O23 - Service: Avira AntiVir Server scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Server\sched.exe
O23 - Service: Avira AntiVir Server (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Server\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5287 bytes

Attached Files

  • Attached File  ark.txt   1.18KB   10 downloads


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 29 January 2010 - 12:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 29 January 2010 - 04:36 PM

Hi, and thank you for the reply. No worries on the delay.

My situation hasn't changed since my original post, other than I now shut down the computer when it's not in use.

After disabling SUPER AntiSpyware and Avira (made sure the umbrella icon was closed) and after disconnecting from the internet (pulled the ethernet cable out of the NIC), I am still unable to successfully run DDS.scr. When I try to launch it, the window that opens up reports this message:

"This tool does not support your Operating System
Press any key to continue..."

My machine is running Windows Server 2003 SP2.

Is there another tool I might run instead?


Thanks!

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 30 January 2010 - 09:52 AM

Hi,
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 01 February 2010 - 10:34 AM

Here you go. For what it's worth, I left the computer on all weekend with the ethernet cable unplugged form the machine, and it did not reboot itself. Up until now, it would reboot itself somewhere with in 5-30 minutes of logging in.


-----------------------------------------------------------------------------------------------------------------------------------------------------

OTL logfile created on: 2/1/2010 9:27:04 AM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 87.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 59.94 Gb Free Space | 78.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7450.37 Gb Total Space | 3463.03 Gb Free Space | 46.48% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCRATCH
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/01/20 13:21:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/20 13:21:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2010/01/05 18:57:22 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/23 08:43:26 | 002,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/07/14 11:52:59 | 000,197,377 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\avguard.exe
PRC - [2009/06/15 11:07:08 | 000,201,304 | ---- | M] (Mediafour Corporation) -- C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
PRC - [2009/03/17 16:09:00 | 000,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/03/02 14:33:44 | 000,206,593 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\avgnt.exe
PRC - [2008/11/26 10:51:07 | 000,072,961 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\sched.exe
PRC - [2008/11/26 10:23:46 | 000,150,528 | ---- | M] (Mediafour Corporation) -- C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
PRC - [2008/09/30 16:46:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/09/30 16:46:12 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/02/08 19:29:37 | 001,294,336 | ---- | M] (AMCC) -- C:\Program Files\AMCC\3DM2\3dm2.exe
PRC - [2008/01/18 18:36:28 | 000,424,448 | ---- | M] () -- C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
PRC - [2008/01/08 20:16:59 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2008/01/08 20:16:57 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
PRC - [2007/02/18 06:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/09 21:46:16 | 000,114,688 | ---- | M] () -- C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
PRC - [2006/04/29 03:47:14 | 000,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
PRC - [2005/04/29 18:44:06 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2007/02/17 00:04:16 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/20 13:21:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/14 11:52:59 | 000,197,377 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Server\avguard.exe -- (AntiVirService)
SRV - [2009/03/17 16:09:00 | 000,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/11/26 10:51:07 | 000,072,961 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Server\sched.exe -- (AntiVirScheduler)
SRV - [2008/11/26 10:23:46 | 000,150,528 | ---- | M] (Mediafour Corporation) [Auto | Running] -- C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe -- (MacDriveService)
SRV - [2008/02/08 19:29:37 | 001,294,336 | ---- | M] () [Auto | Running] -- C:\Program Files\AMCC\3DM2/3dm2.exe -- (3DM2)
SRV - [2008/01/08 20:16:57 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)
SRV - [2007/02/18 06:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 06:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 06:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 06:00:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/18 06:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 06:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/02/18 06:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 06:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2006/08/09 21:46:16 | 000,114,688 | ---- | M] () [Auto | Running] -- C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe -- (Marvell RAID)
SRV - [2006/04/29 03:47:14 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe -- (MRUWebService)
SRV - [2005/04/29 18:44:06 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE -- (Pml Driver HPZ12)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mail.optimus.com/zimbra/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/05 18:57:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/20 13:21:21 | 000,000,000 | ---D | M]

[2008/10/17 13:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/01/19 09:31:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9vun59f0.default\extensions
[2009/08/06 10:41:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9vun59f0.default\extensions\privatebrowsing@froilson.com
[2010/01/20 13:21:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/02/18 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Server\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Getting started with MacDrive] C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe (Mediafour Corporation)
O4 - HKLM..\Run: [MacDrive application] C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe (Mediafour Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinAVAlarm.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optimus.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\All Users\Application Data\Assimilator\Settings\SCRATCH.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/14 15:25:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{24119373-9ebb-11dd-b66d-001cc0321a54}\Shell\verb1\command - "" = H:\desktop.exe -- File not found
O33 - MountPoints2\{d7a999d2-9cb1-11dd-8281-001cc0321a54}\Shell\verb1\command - "" = G:\desktop.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/10/14 08:03:25 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
SystemRestore not available.

========== Files/Folders - Created Within 14 Days ==========

[2010/02/01 09:25:58 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/20 14:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/20 14:11:32 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/20 12:01:05 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\UserData
[2010/01/20 09:40:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/01/18 12:41:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\.red
[2010/01/18 12:35:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\REDCINE-X
[2008/11/05 13:06:38 | 004,556,134 | ---- | C] (InstallShield Software Corporation) -- C:\Program Files\swissknife.exe
[2008/10/17 13:54:29 | 000,454,656 | ---- | C] (Simon Tatham) -- C:\Program Files\putty.exe
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/29 16:18:09 | 000,264,297 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010/01/29 16:18:02 | 000,000,241 | ---- | M] () -- C:\WINDOWS\System32\61xx.xml
[2010/01/29 16:17:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/29 16:17:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/29 15:40:31 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/01/28 17:55:11 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/01/28 17:49:21 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/20 14:11:33 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/01/20 09:41:35 | 000,001,754 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100120_094114.reg
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/20 14:11:33 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/01/20 09:41:17 | 000,001,754 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100120_094114.reg
[2009/03/17 16:09:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/17 16:09:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/17 16:09:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/17 16:09:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/11/26 16:13:24 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PUTTY.RND
[2008/11/05 13:07:03 | 000,014,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\SBKUPNT.SYS
[2008/11/05 13:06:55 | 000,002,799 | ---- | C] () -- C:\WINDOWS\SKLANG.INI
[2008/10/26 09:56:39 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/10/23 13:07:26 | 004,438,006 | ---- | C] () -- C:\Program Files\MetaCheater v1.5.exe
[2008/10/21 19:04:03 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2008/10/20 09:26:59 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\scvhost.ini
[2007/12/20 19:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/02/18 06:00:00 | 000,179,440 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/02/18 06:00:00 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2007/02/18 06:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/02/18 06:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/02/18 06:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/02/18 06:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/02/18 06:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2006/06/08 00:27:18 | 000,047,430 | ---- | C] () -- C:\WINDOWS\php.ini

========== LOP Check ==========

[2009/04/02 16:44:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Avid Technology
[2008/11/04 14:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\dBpoweramp
[2008/12/16 10:19:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\djv-0.8-1
[2010/01/14 12:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FileZilla
[2009/10/29 10:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\HDRsoft
[2008/10/24 11:18:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2008/10/24 11:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
[2010/01/21 17:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TeraCopy
[2009/04/14 15:51:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\XnView
[2008/10/15 08:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMCC
[2009/08/24 12:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Assimilator
[2008/10/17 16:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Mediafour
[2009/02/04 13:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\REDCINE
[2010/01/20 14:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/29 15:40:11 | 000,032,650 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/03/02 22:47:38 | 000,049,233 | ---- | M] () -- C:\fat32format.exe


< MD5 for: AGP440.SYS >
[2007/02/18 06:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2007/02/18 06:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\dllcache\atapi.sys
[2007/02/18 06:00:00 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/02/18 06:00:00 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2007/02/18 06:00:00 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2007/02/18 06:00:00 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2007/02/18 06:00:00 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2007/02/18 06:00:00 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\dllcache\scecli.dll
[2007/02/18 06:00:00 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


-------------------------------------------------------------------------------------------------------------------------



OTL Extras logfile created on: 2/1/2010 9:27:04 AM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 87.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 59.94 Gb Free Space | 78.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7450.37 Gb Total Space | 3463.03 Gb Free Space | 46.48% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCRATCH
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with XnView] -- "C:\Program Files\XnView\xnview.exe" "%1" (XnView, http://www.xnview.com)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\wuauserv.exe" = C:\WINDOWS\system32\wuauserv.exe:LocalSubNet:Enabled:TCP -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{107254A0-0ADF-11D4-9397-00D0B7020B38}" =
"{1468862C-2178-42AC-83A3-AAE994359894}" = Avira AntiVir Server
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{250680A1-75A4-4EF3-98CC-85ABB671DF55}" = REDCINE
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8126EFC2-3C32-4B3B-9EB9-C96667BED6F1}" = Avid MetaFuze
"{8CA36737-3E7D-444B-8BDD-B457968229FA}" = SCRATCH
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C1537E2-14E9-4927-9181-71484FFFBDB8}" = Avid Codecs LE
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{EBD6B3E2-D43A-4F7D-A9FD-1F359E0C2320}" = MacDrive 7
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"8c793da9f0aa7e94d3b4faba721006ff-1001563592" = 3ware Disk Management Tools
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ASIO4ALL" = ASIO4ALL
"CCleaner" = CCleaner
"Cine Viewer" = Cine Viewer 675
"dBpoweramp [Calculate Audio CRC] Codec" = dBpoweramp [Calculate Audio CRC] Codec
"dBpoweramp Dalet Codec" = dBpoweramp Dalet Codec
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Monkeys Audio Codec" = dBpoweramp Monkeys Audio Codec
"dBpoweramp Mp2 and BwfMp2 codec" = dBpoweramp Mp2 and BwfMp2 codec
"dBpoweramp mp3 (Fraunhofer IIS) Codec" = dBpoweramp mp3 (Fraunhofer IIS) Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Ogg Vorbis Codec" = dBpoweramp Ogg Vorbis Codec
"dBpoweramp Real Audio (Helix) Encoder" = dBpoweramp Real Audio (Helix) Encoder
"dBPoweramp tooLame MP2 codec" = dBPoweramp tooLame MP2 codec
"dBpoweramp Wave64 Codec" = dBpoweramp Wave64 Codec
"dBpoweramp WavPack Codec" = dBpoweramp WavPack Codec
"FileZilla Client" = FileZilla Client 3.3.1
"Foxit Reader" = Foxit Reader
"GraphicsMagick 1.3.3 Q16_is1" = GraphicsMagick 1.3.3 Q16 (2008-12-09)
"HDR PhotoStudio 2" = HDR PhotoStudio 2
"HijackThis" = HijackThis 2.0.2
"IRIDAS FrameCycler Professional_is1" = IRIDAS FrameCycler Professional 2008 Release SP2a
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"mv61xxMRU" = Marvell 61xx MRU
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Connections Drivers
"TeraCopy_is1" = TeraCopy 1.22
"WEISSCAM HS-2" = WEISSCAM HS-2
"XnView_is1" = XnView 1.95.4
"XP Codec Pack" = XP Codec Pack

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/1/2010 1:18:15 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 2:18:15 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 3:18:15 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 4:18:16 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 5:18:16 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 6:18:16 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 7:18:16 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 8:18:17 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 9:18:17 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

Error - 2/1/2010 10:18:17 AM | Computer Name = SCRATCH | Source = Avira AntiVir | ID = 4129
Description = The update from SCRATCH (127.0.0.1) failed. 2. There were no new files
loaded.

[ System Events ]
Error - 1/29/2010 4:58:40 PM | Computer Name = SCRATCH | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/29/2010 4:58:40 PM | Computer Name = SCRATCH | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/29/2010 5:03:29 PM | Computer Name = SCRATCH | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/29/2010 5:07:17 PM | Computer Name = SCRATCH | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
15, function 0. Please contact your system vendor for technical assistance.

Error - 1/29/2010 5:07:17 PM | Computer Name = SCRATCH | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/29/2010 5:07:17 PM | Computer Name = SCRATCH | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/29/2010 5:39:44 PM | Computer Name = SCRATCH | Source = Service Control Manager | ID = 7031
Description = The DCOM Server Process Launcher service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 1/29/2010 6:18:17 PM | Computer Name = SCRATCH | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
15, function 0. Please contact your system vendor for technical assistance.

Error - 1/29/2010 6:18:17 PM | Computer Name = SCRATCH | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/29/2010 6:18:17 PM | Computer Name = SCRATCH | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >



#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 01 February 2010 - 02:37 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 02 February 2010 - 10:24 AM

Malwarebytes' Anti-Malware 1.44
Database version: 3678
Windows 5.2.3790 Service Pack 2
Internet Explorer 6.0.3790.3959

2/2/2010 9:21:03 AM
mbam-log-2010-02-02 (09-21-03).txt

Scan type: Quick Scan
Objects scanned: 112780
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 02 February 2010 - 03:25 PM

Hi,

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt



Please post back with a fresh OTL logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 03 February 2010 - 03:42 PM

Hello,

The computer reboot itself several times while trying to run the ESET scanner, but I was finally able to make it all the way through. I was able to save one list of found threats from the first attempt before the computer reboot. Here is the contents of that file:


C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache16318.tmp multiple threats deleted - quarantined
C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache43159.tmp multiple threats deleted - quarantined


---------------------------------------------------------------------------------------------------------------------------------------------------------

Here is the contents of ESET's log file:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 03:20:52
# local_time=2010-02-03 09:20:52 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=6200
# found=2
# cleaned=2
# scan_time=270
C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache16318.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache43159.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 05:37:02
# local_time=2010-02-03 11:37:02 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=3486
# found=0
# cleaned=0
# scan_time=171
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 06:00:44
# local_time=2010-02-03 12:00:44 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=68379
# found=5
# cleaned=5
# scan_time=1173
F:\Jobs\13932_aleve\1_Media\1_R3Ds\Aleve Cam Report 6.19.09.doc W97M/Thus.I virus (cleaned - quarantined) 00000000000000000000000000000000 C
F:\Jobs\13976_UnderArmor\Mag_13\AUTORUN.INF INF/Autorun.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
F:\Jobs\13976_UnderArmor\Mag_13\infrom.exe Win32/ShipUp.NAG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
F:\Jobs\13976_UnderArmor\Mag_13\ms.config\ldup.exe Win32/ShipUp.NAB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
F:\Jobs\13976_UnderArmor\Mag_13\rm\sy.exe Win32/ShipUp.NAB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 06:30:03
# local_time=2010-02-03 12:30:03 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=62503
# found=0
# cleaned=0
# scan_time=1061
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 07:38:33
# local_time=2010-02-03 01:38:33 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=9949
# found=0
# cleaned=0
# scan_time=321
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 07:59:44
# local_time=2010-02-03 01:59:44 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=54720
# found=0
# cleaned=0
# scan_time=1012
esets_scanner_update returned -1 esets_gle=53251
# version=7
# IEXPLORE.EXE=6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=202049d16c48494695c4a1d3d833a90d
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-03 08:21:09
# local_time=2010-02-03 02:21:09 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.2.3790 NT Service Pack 2
# compatibility_mode=crash
# scanned=58400
# found=0
# cleaned=0
# scan_time=1038


---------------------------------------------------------------------------------------------------------------------------------------------------------


And here is a recent OTL scan:


OTL logfile created on: 2/3/2010 2:34:41 PM - Run 2
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 60.05 Gb Free Space | 78.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7450.37 Gb Total Space | 4431.89 Gb Free Space | 59.49% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCRATCH
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/01/20 13:21:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/20 13:21:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/23 08:43:26 | 002,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/07/14 11:52:59 | 000,197,377 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\avguard.exe
PRC - [2009/06/15 11:07:08 | 000,201,304 | ---- | M] (Mediafour Corporation) -- C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
PRC - [2009/03/17 16:09:00 | 000,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/03/02 14:33:44 | 000,206,593 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\avgnt.exe
PRC - [2008/11/26 10:51:07 | 000,072,961 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\sched.exe
PRC - [2008/11/26 10:23:46 | 000,150,528 | ---- | M] (Mediafour Corporation) -- C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
PRC - [2008/09/30 16:46:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/09/30 16:46:12 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/02/08 19:29:37 | 001,294,336 | ---- | M] (AMCC) -- C:\Program Files\AMCC\3DM2\3dm2.exe
PRC - [2008/01/18 18:36:28 | 000,424,448 | ---- | M] () -- C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
PRC - [2008/01/08 20:16:59 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2008/01/08 20:16:57 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
PRC - [2007/02/18 06:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 06:00:00 | 000,094,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2006/08/09 21:46:16 | 000,114,688 | ---- | M] () -- C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
PRC - [2006/04/29 03:47:14 | 000,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
PRC - [2005/04/29 18:44:06 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2007/02/17 00:04:16 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/20 13:21:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/14 11:52:59 | 000,197,377 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Server\avguard.exe -- (AntiVirService)
SRV - [2009/03/17 16:09:00 | 000,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/11/26 10:51:07 | 000,072,961 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Server\sched.exe -- (AntiVirScheduler)
SRV - [2008/11/26 10:23:46 | 000,150,528 | ---- | M] (Mediafour Corporation) [Auto | Running] -- C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe -- (MacDriveService)
SRV - [2008/02/08 19:29:37 | 001,294,336 | ---- | M] () [Auto | Running] -- C:\Program Files\AMCC\3DM2/3dm2.exe -- (3DM2)
SRV - [2008/01/08 20:16:57 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)
SRV - [2007/02/18 06:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 06:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 06:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 06:00:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/18 06:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 06:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/02/18 06:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 06:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2006/08/09 21:46:16 | 000,114,688 | ---- | M] () [Auto | Running] -- C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe -- (Marvell RAID)
SRV - [2006/04/29 03:47:14 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe -- (MRUWebService)
SRV - [2005/04/29 18:44:06 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE -- (Pml Driver HPZ12)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mail.optimus.com/zimbra/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/05 18:57:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/20 13:21:21 | 000,000,000 | ---D | M]

[2008/10/17 13:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/02/01 09:29:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9vun59f0.default\extensions
[2009/08/06 10:41:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9vun59f0.default\extensions\privatebrowsing@froilson.com
[2010/02/01 09:29:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/02/18 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Server\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Getting started with MacDrive] C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe (Mediafour Corporation)
O4 - HKLM..\Run: [MacDrive application] C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe (Mediafour Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinAVAlarm.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optimus.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\All Users\Application Data\Assimilator\Settings\SCRATCH.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/14 15:25:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{24119373-9ebb-11dd-b66d-001cc0321a54}\Shell\verb1\command - "" = H:\desktop.exe -- File not found
O33 - MountPoints2\{d7a999d2-9cb1-11dd-8281-001cc0321a54}\Shell\verb1\command - "" = G:\desktop.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/10/14 08:03:25 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
SystemRestore not available.

========== Files/Folders - Created Within 14 Days ==========

[2010/02/03 09:14:34 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/02/01 09:25:58 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2008/11/05 13:06:38 | 004,556,134 | ---- | C] (InstallShield Software Corporation) -- C:\Program Files\swissknife.exe
[2008/10/17 13:54:29 | 000,454,656 | ---- | C] (Simon Tatham) -- C:\Program Files\putty.exe
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/03 14:02:33 | 000,366,373 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010/02/03 14:02:24 | 000,000,241 | ---- | M] () -- C:\WINDOWS\System32\61xx.xml
[2010/02/03 14:02:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/03 14:02:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/03 14:00:18 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/02/03 13:38:48 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/02/01 09:39:39 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/03/17 16:09:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/17 16:09:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/17 16:09:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/17 16:09:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/11/26 16:13:24 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PUTTY.RND
[2008/11/05 13:07:03 | 000,014,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\SBKUPNT.SYS
[2008/11/05 13:06:55 | 000,002,799 | ---- | C] () -- C:\WINDOWS\SKLANG.INI
[2008/10/26 09:56:39 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/10/23 13:07:26 | 004,438,006 | ---- | C] () -- C:\Program Files\MetaCheater v1.5.exe
[2008/10/21 19:04:03 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2008/10/20 09:26:59 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\scvhost.ini
[2007/12/20 19:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/02/18 06:00:00 | 000,179,440 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/02/18 06:00:00 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2007/02/18 06:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/02/18 06:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/02/18 06:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/02/18 06:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/02/18 06:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2006/06/08 00:27:18 | 000,047,430 | ---- | C] () -- C:\WINDOWS\php.ini

========== LOP Check ==========

[2009/04/02 16:44:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Avid Technology
[2008/11/04 14:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\dBpoweramp
[2008/12/16 10:19:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\djv-0.8-1
[2010/01/14 12:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FileZilla
[2009/10/29 10:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\HDRsoft
[2008/10/24 11:18:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2008/10/24 11:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
[2010/02/03 12:14:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TeraCopy
[2009/04/14 15:51:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\XnView
[2008/10/15 08:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMCC
[2009/08/24 12:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Assimilator
[2008/10/17 16:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Mediafour
[2009/02/04 13:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\REDCINE
[2010/01/20 14:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/03 13:59:59 | 000,032,650 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/03/02 22:47:38 | 000,049,233 | ---- | M] () -- C:\fat32format.exe


< MD5 for: AGP440.SYS >
[2007/02/18 06:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2007/02/18 06:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\dllcache\atapi.sys
[2007/02/18 06:00:00 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/02/18 06:00:00 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2007/02/18 06:00:00 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2007/02/18 06:00:00 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2007/02/18 06:00:00 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2007/02/18 06:00:00 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\dllcache\scecli.dll
[2007/02/18 06:00:00 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >




#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 04 February 2010 - 03:28 PM

Hi,
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 05 February 2010 - 11:08 AM

10:06:26:703 1244 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
10:06:26:703 1244 ================================================================================
10:06:26:703 1244 SystemInfo:

10:06:26:703 1244 OS Version: 5.2.3790 ServicePack: 2.0
10:06:26:703 1244 Product type: Server
10:06:26:703 1244 ComputerName: SCRATCH
10:06:26:703 1244 UserName: Administrator
10:06:26:703 1244 Windows directory: C:\WINDOWS
10:06:26:703 1244 Processor architecture: Intel x86
10:06:26:703 1244 Number of processors: 8
10:06:26:703 1244 Page size: 0x1000
10:06:26:703 1244 Boot type: Normal boot
10:06:26:703 1244 ================================================================================
10:06:26:703 1244 UnloadDriverW: NtUnloadDriver error 2
10:06:26:703 1244 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:06:26:703 1244 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:06:26:718 1244 UtilityInit: KLMD drop and load success
10:06:26:718 1244 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
10:06:26:718 1244 UtilityInit: KLMD open success
10:06:26:718 1244 UtilityInit: Initialize success
10:06:26:718 1244
10:06:26:718 1244 Scanning Services ...
10:06:26:718 1244 CreateRegParser: Registry parser init started
10:06:26:718 1244 CreateRegParser: DisableWow64Redirection error
10:06:26:718 1244 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:06:26:718 1244 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
10:06:26:718 1244 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:06:26:718 1244 wfopen_ex: Trying to KLMD file open
10:06:26:718 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
10:06:26:718 1244 wfopen_ex: File opened ok (Flags 2)
10:06:26:718 1244 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3B4BF8
10:06:26:718 1244 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:06:26:718 1244 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
10:06:26:718 1244 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:06:26:718 1244 wfopen_ex: Trying to KLMD file open
10:06:26:718 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
10:06:26:718 1244 wfopen_ex: File opened ok (Flags 2)
10:06:26:718 1244 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3B4AE8
10:06:26:718 1244 CreateRegParser: EnableWow64Redirection error
10:06:26:718 1244 CreateRegParser: RegParser init completed
10:06:26:984 1244 GetAdvancedServicesInfo: Raw services enum returned 325 services
10:06:27:000 1244 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:06:27:000 1244 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:06:27:000 1244
10:06:27:000 1244 Scanning Kernel memory ...
10:06:27:000 1244 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:06:27:000 1244 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B7322F0
10:06:27:000 1244 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
10:06:27:000 1244
10:06:27:000 1244 DetectCureTDL3: DEVICE_OBJECT: 8B5877F0
10:06:27:000 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B5877F0
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B5877F0[0x38]
10:06:27:000 1244 DetectCureTDL3: DRIVER_OBJECT: 8B7322F0
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B7322F0[0xA8]
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0xE17BACC0[0x18]
10:06:27:000 1244 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:06:27:000 1244 DetectCureTDL3: IrpHandler (0) addr: F724B1E0
10:06:27:000 1244 DetectCureTDL3: IrpHandler (1) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (2) addr: F724B1E0
10:06:27:000 1244 DetectCureTDL3: IrpHandler (3) addr: F7242485
10:06:27:000 1244 DetectCureTDL3: IrpHandler (4) addr: F7242485
10:06:27:000 1244 DetectCureTDL3: IrpHandler (5) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (6) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (7) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (8) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (9) addr: F7242E9A
10:06:27:000 1244 DetectCureTDL3: IrpHandler (10) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (11) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (12) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (13) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (14) addr: F7243208
10:06:27:000 1244 DetectCureTDL3: IrpHandler (15) addr: F72474C1
10:06:27:000 1244 DetectCureTDL3: IrpHandler (16) addr: F7242E9A
10:06:27:000 1244 DetectCureTDL3: IrpHandler (17) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (18) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (19) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (20) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (21) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (22) addr: F7244D14
10:06:27:000 1244 DetectCureTDL3: IrpHandler (23) addr: F724D264
10:06:27:000 1244 DetectCureTDL3: IrpHandler (24) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (25) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (26) addr: 80821044
10:06:27:000 1244 TDL3_FileDetect: Processing driver: Disk
10:06:27:000 1244 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:06:27:000 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:06:27:000 1244 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:06:27:000 1244
10:06:27:000 1244 DetectCureTDL3: DEVICE_OBJECT: 8B6D1C68
10:06:27:000 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B6D1C68
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B6D1C68[0x38]
10:06:27:000 1244 DetectCureTDL3: DRIVER_OBJECT: 8B7322F0
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B7322F0[0xA8]
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0xE17BACC0[0x18]
10:06:27:000 1244 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:06:27:000 1244 DetectCureTDL3: IrpHandler (0) addr: F724B1E0
10:06:27:000 1244 DetectCureTDL3: IrpHandler (1) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (2) addr: F724B1E0
10:06:27:000 1244 DetectCureTDL3: IrpHandler (3) addr: F7242485
10:06:27:000 1244 DetectCureTDL3: IrpHandler (4) addr: F7242485
10:06:27:000 1244 DetectCureTDL3: IrpHandler (5) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (6) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (7) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (8) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (9) addr: F7242E9A
10:06:27:000 1244 DetectCureTDL3: IrpHandler (10) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (11) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (12) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (13) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (14) addr: F7243208
10:06:27:000 1244 DetectCureTDL3: IrpHandler (15) addr: F72474C1
10:06:27:000 1244 DetectCureTDL3: IrpHandler (16) addr: F7242E9A
10:06:27:000 1244 DetectCureTDL3: IrpHandler (17) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (18) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (19) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (20) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (21) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (22) addr: F7244D14
10:06:27:000 1244 DetectCureTDL3: IrpHandler (23) addr: F724D264
10:06:27:000 1244 DetectCureTDL3: IrpHandler (24) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (25) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (26) addr: 80821044
10:06:27:000 1244 TDL3_FileDetect: Processing driver: Disk
10:06:27:000 1244 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:06:27:000 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:06:27:000 1244 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:06:27:000 1244
10:06:27:000 1244 DetectCureTDL3: DEVICE_OBJECT: 8B6D1030
10:06:27:000 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B6D1030
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B6D1030[0x38]
10:06:27:000 1244 DetectCureTDL3: DRIVER_OBJECT: 8B7322F0
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B7322F0[0xA8]
10:06:27:000 1244 KLMD_ReadMem: Trying to ReadMemory 0xE17BACC0[0x18]
10:06:27:000 1244 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:06:27:000 1244 DetectCureTDL3: IrpHandler (0) addr: F724B1E0
10:06:27:000 1244 DetectCureTDL3: IrpHandler (1) addr: 80821044
10:06:27:000 1244 DetectCureTDL3: IrpHandler (2) addr: F724B1E0
10:06:27:000 1244 DetectCureTDL3: IrpHandler (3) addr: F7242485
10:06:27:000 1244 DetectCureTDL3: IrpHandler (4) addr: F7242485
10:06:27:000 1244 DetectCureTDL3: IrpHandler (5) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (6) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (7) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (8) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (9) addr: F7242E9A
10:06:27:015 1244 DetectCureTDL3: IrpHandler (10) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (11) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (12) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (13) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (14) addr: F7243208
10:06:27:015 1244 DetectCureTDL3: IrpHandler (15) addr: F72474C1
10:06:27:015 1244 DetectCureTDL3: IrpHandler (16) addr: F7242E9A
10:06:27:015 1244 DetectCureTDL3: IrpHandler (17) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (18) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (19) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (20) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (21) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (22) addr: F7244D14
10:06:27:015 1244 DetectCureTDL3: IrpHandler (23) addr: F724D264
10:06:27:015 1244 DetectCureTDL3: IrpHandler (24) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (25) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (26) addr: 80821044
10:06:27:015 1244 TDL3_FileDetect: Processing driver: Disk
10:06:27:015 1244 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:06:27:015 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:06:27:015 1244 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:06:27:015 1244
10:06:27:015 1244 DetectCureTDL3: DEVICE_OBJECT: 8B6EB030
10:06:27:015 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B6EB030
10:06:27:015 1244 DetectCureTDL3: DEVICE_OBJECT: 8B6ED030
10:06:27:015 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B6ED030
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B6ED030[0x38]
10:06:27:015 1244 DetectCureTDL3: DRIVER_OBJECT: 8B6E3EE8
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B6E3EE8[0xA8]
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0xE1829E20[0x20]
10:06:27:015 1244 DetectCureTDL3: DRIVER_OBJECT name: \Driver\3wareDrv, Driver Name: 3wareDrv
10:06:27:015 1244 DetectCureTDL3: IrpHandler (0) addr: F726927C
10:06:27:015 1244 DetectCureTDL3: IrpHandler (1) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (2) addr: F726927C
10:06:27:015 1244 DetectCureTDL3: IrpHandler (3) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (4) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (5) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (6) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (7) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (8) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (9) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (10) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (11) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (12) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (13) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (14) addr: F726927C
10:06:27:015 1244 DetectCureTDL3: IrpHandler (15) addr: F726927C
10:06:27:015 1244 DetectCureTDL3: IrpHandler (16) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (17) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (18) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (19) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (20) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (21) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (22) addr: F726927C
10:06:27:015 1244 DetectCureTDL3: IrpHandler (23) addr: F726927C
10:06:27:015 1244 DetectCureTDL3: IrpHandler (24) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (25) addr: 80821044
10:06:27:015 1244 DetectCureTDL3: IrpHandler (26) addr: 80821044
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0xF726A214[0x400]
10:06:27:015 1244 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:06:27:015 1244 TDL3_FileDetect: Processing driver: 3wareDrv
10:06:27:015 1244 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\3wareDrv.sys
10:06:27:015 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\3wareDrv.sys
10:06:27:015 1244 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\3wareDrv.sys - Verdict: Clean
10:06:27:015 1244
10:06:27:015 1244 DetectCureTDL3: DEVICE_OBJECT: 8B7848D0
10:06:27:015 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B7848D0
10:06:27:015 1244 DetectCureTDL3: DEVICE_OBJECT: 8B6E7A00
10:06:27:015 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B6E7A00
10:06:27:015 1244 DetectCureTDL3: DEVICE_OBJECT: 8B65AB00
10:06:27:015 1244 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B65AB00
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B65AB00[0x38]
10:06:27:015 1244 DetectCureTDL3: DRIVER_OBJECT: 8B6EB7C0
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B6EB7C0[0xA8]
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B6FC028[0x38]
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B786848[0xA8]
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0xE17F3590[0x1A]
10:06:27:015 1244 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:06:27:015 1244 DetectCureTDL3: IrpHandler (0) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (1) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (2) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (3) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (4) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (5) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (6) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (7) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (8) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (9) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (10) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (11) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (12) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (13) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (14) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (15) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (16) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (17) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (18) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (19) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (20) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (21) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (22) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (23) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (24) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (25) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: IrpHandler (26) addr: 8B66E170
10:06:27:015 1244 DetectCureTDL3: All IRP handlers pointed to one addr: 8B66E170
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0x8B66E170[0x400]
10:06:27:015 1244 TDL3_IrpHookDetect: CheckParameters: 5, FFDF0308, 341, 99, 3, 88
10:06:27:015 1244 Driver "atapi" Irp handler infected by TDSS rootkit ... 10:06:27:015 1244 KLMD_WriteMem: Trying to WriteMemory 0x8B66E1D3[0xD]
10:06:27:015 1244 cured
10:06:27:015 1244 KLMD_ReadMem: Trying to ReadMemory 0xF72A9E2E[0x400]
10:06:27:015 1244 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:06:27:015 1244 TDL3_FileDetect: Processing driver: atapi
10:06:27:015 1244 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:06:27:015 1244 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:06:27:031 1244 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
10:06:27:031 1244 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 10:06:27:031 1244 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:06:27:031 1244 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:06:27:031 1244 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
10:06:27:062 1244 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
10:06:27:078 1244 CabinetCallback: Backup candidate found: atapi.sys:96768, extracting..
10:06:27:359 1244 CabinetCallback: File extracted successfully: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bck7.tmp
10:06:27:359 1244 ValidateDriverFile: Stage 1 passed
10:06:27:375 1244 ValidateDriverFile: Stage 2 passed
10:06:27:390 1244 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
10:06:28:156 1244 DigitalSignVerifyByHandle: Cat DS result: 00000000
10:06:28:156 1244 ValidateDriverFile: Stage 3 passed
10:06:28:156 1244 CabinetCallback: File validated successfully, restore information prepared
10:06:28:156 1244 FindDriverFileBackup: Backup copy found in cab-file
10:06:28:156 1244 TDL3_FileCure: Backup copy found, using it..
10:06:28:156 1244 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk8.tmp
10:06:28:187 1244 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk8.tmp, system32\drivers\atapi.sys)
10:06:28:187 1244 TDL3_FileCure: KLMD jobs schedule success
10:06:28:187 1244 will be cured on next reboot
10:06:28:187 1244 UtilityBootReinit: Reboot required for cure complete..
10:06:28:187 1244 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
10:06:28:187 1244 UtilityBootReinit: KLMD drop success
10:06:28:187 1244 KLMD_ApplyPendList: Pending buffer(3B1A_7C68, 600) dropped successfully
10:06:28:187 1244 UtilityBootReinit: Cure on reboot scheduled successfully
10:06:28:187 1244
10:06:28:203 1244 Completed
10:06:28:203 1244
10:06:28:203 1244 Results:
10:06:28:203 1244 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
10:06:28:203 1244 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:06:28:203 1244 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:06:28:203 1244
10:06:28:203 1244 UnloadDriverW: NtUnloadDriver error 1
10:06:28:203 1244 KLMD_Unload: UnloadDriverW(klmd21) error 1
10:06:28:203 1244 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:06:28:203 1244 UtilityDeinit: KLMD(ARK) unloaded successfully


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 05 February 2010 - 01:59 PM

Please post back with a fresh OTL logfile and tell me how your system running smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 05 February 2010 - 02:32 PM

So far, no errors upon logging in, and no self-reboots in about 2 hours while still connected to the internet. Also, no redirects on Google searches. I'm going to let it sit over the weekend and see what happens, but it already seems to be running better. I'll report back on Monday and let you know how it goes.

Many, many thanks for all your help.



OTL logfile created on: 2/5/2010 1:23:14 PM - Run 3
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Server 2003 R2 Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 6.0.3790.3959)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 4.00 Gb Available Physical Memory | 88.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 59.84 Gb Free Space | 78.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7450.37 Gb Total Space | 4431.49 Gb Free Space | 59.48% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCRATCH
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/01/20 13:21:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/20 13:21:15 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2010/01/05 18:57:22 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/23 08:43:26 | 002,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/07/14 11:52:59 | 000,197,377 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\avguard.exe
PRC - [2009/06/15 11:07:08 | 000,201,304 | ---- | M] (Mediafour Corporation) -- C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
PRC - [2009/03/17 16:09:00 | 000,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/03/02 14:33:44 | 000,206,593 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\avgnt.exe
PRC - [2008/11/26 10:51:07 | 000,072,961 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Server\sched.exe
PRC - [2008/11/26 10:23:46 | 000,150,528 | ---- | M] (Mediafour Corporation) -- C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
PRC - [2008/09/30 16:46:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/09/30 16:46:12 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/02/08 19:29:37 | 001,294,336 | ---- | M] (AMCC) -- C:\Program Files\AMCC\3DM2\3dm2.exe
PRC - [2008/01/18 18:36:28 | 000,424,448 | ---- | M] () -- C:\Program Files\AMCC\3DM2\WinAVAlarm.exe
PRC - [2008/01/08 20:16:59 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2008/01/08 20:16:57 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
PRC - [2007/02/18 06:00:00 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/09 21:46:16 | 000,114,688 | ---- | M] () -- C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
PRC - [2006/04/29 03:47:14 | 000,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
PRC - [2005/04/29 18:44:06 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2007/02/17 00:04:16 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/20 13:21:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/14 11:52:59 | 000,197,377 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Server\avguard.exe -- (AntiVirService)
SRV - [2009/03/17 16:09:00 | 000,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/11/26 10:51:07 | 000,072,961 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Server\sched.exe -- (AntiVirScheduler)
SRV - [2008/11/26 10:23:46 | 000,150,528 | ---- | M] (Mediafour Corporation) [Auto | Running] -- C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe -- (MacDriveService)
SRV - [2008/02/08 19:29:37 | 001,294,336 | ---- | M] () [Auto | Running] -- C:\Program Files\AMCC\3DM2/3dm2.exe -- (3DM2)
SRV - [2008/01/08 20:16:57 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)
SRV - [2007/02/18 06:00:00 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
SRV - [2007/02/18 06:00:00 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
SRV - [2007/02/18 06:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
SRV - [2007/02/18 06:00:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
SRV - [2007/02/18 06:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
SRV - [2007/02/18 06:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
SRV - [2007/02/18 06:00:00 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
SRV - [2007/02/18 06:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
SRV - [2006/08/09 21:46:16 | 000,114,688 | ---- | M] () [Auto | Running] -- C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe -- (Marvell RAID)
SRV - [2006/04/29 03:47:14 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe -- (MRUWebService)
SRV - [2005/04/29 18:44:06 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE -- (Pml Driver HPZ12)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mail.optimus.com/zimbra/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/05 18:57:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/20 13:21:21 | 000,000,000 | ---D | M]

[2008/10/17 13:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/02/01 09:29:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9vun59f0.default\extensions
[2009/08/06 10:41:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9vun59f0.default\extensions\privatebrowsing@froilson.com
[2010/02/01 09:29:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/02/18 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Server\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Getting started with MacDrive] C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe (Mediafour Corporation)
O4 - HKLM..\Run: [MacDrive application] C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe (Mediafour Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinAVAlarm.lnk = C:\Program Files\AMCC\3DM2\WinAVAlarm.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optimus.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\All Users\Application Data\Assimilator\Settings\SCRATCH.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/14 15:25:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{24119373-9ebb-11dd-b66d-001cc0321a54}\Shell\verb1\command - "" = H:\desktop.exe -- File not found
O33 - MountPoints2\{d7a999d2-9cb1-11dd-8281-001cc0321a54}\Shell\verb1\command - "" = G:\desktop.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/10/14 08:03:25 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
SystemRestore not available.

========== Files/Folders - Created Within 14 Days ==========

[2010/02/05 10:06:02 | 000,176,392 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/02/03 09:14:34 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/02/01 09:25:58 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2008/11/05 13:06:38 | 004,556,134 | ---- | C] (InstallShield Software Corporation) -- C:\Program Files\swissknife.exe
[2008/10/17 13:54:29 | 000,454,656 | ---- | C] (Simon Tatham) -- C:\Program Files\putty.exe
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/10/14 15:25:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/05 12:00:38 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/02/05 11:36:00 | 000,405,633 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2010/02/05 11:35:46 | 000,000,241 | ---- | M] () -- C:\WINDOWS\System32\61xx.xml
[2010/02/05 11:35:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/05 11:35:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/05 10:15:51 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/02/03 14:48:39 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/02/01 09:39:39 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/01 09:25:58 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/03/17 16:09:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/17 16:09:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/17 16:09:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/17 16:09:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/11/26 16:13:24 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PUTTY.RND
[2008/11/05 13:07:03 | 000,014,976 | ---- | C] () -- C:\WINDOWS\System32\drivers\SBKUPNT.SYS
[2008/11/05 13:06:55 | 000,002,799 | ---- | C] () -- C:\WINDOWS\SKLANG.INI
[2008/10/26 09:56:39 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/10/23 13:07:26 | 004,438,006 | ---- | C] () -- C:\Program Files\MetaCheater v1.5.exe
[2008/10/21 19:04:03 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2008/10/20 09:26:59 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\scvhost.ini
[2007/12/20 19:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/02/18 06:00:00 | 000,179,440 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2007/02/18 06:00:00 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2007/02/18 06:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2007/02/18 06:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2007/02/18 06:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2007/02/18 06:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2007/02/18 06:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
[2006/06/08 00:27:18 | 000,047,430 | ---- | C] () -- C:\WINDOWS\php.ini

========== LOP Check ==========

[2009/04/02 16:44:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Avid Technology
[2008/11/04 14:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\dBpoweramp
[2008/12/16 10:19:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\djv-0.8-1
[2010/01/14 12:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FileZilla
[2009/10/29 10:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\HDRsoft
[2008/10/24 11:18:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Notepad++
[2008/10/24 11:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
[2010/02/05 12:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TeraCopy
[2009/04/14 15:51:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\XnView
[2008/10/15 08:54:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMCC
[2009/08/24 12:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Assimilator
[2008/10/17 16:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Mediafour
[2009/02/04 13:31:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\REDCINE
[2010/01/20 14:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/05 11:33:26 | 000,032,650 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/03/02 22:47:38 | 000,049,233 | ---- | M] () -- C:\fat32format.exe


< MD5 for: AGP440.SYS >
[2007/02/18 06:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2007/02/18 06:00:00 | 016,191,101 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/02/05 10:17:44 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\drivers\atapi.sys
[2007/02/18 06:00:00 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[2007/02/17 03:18:02 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/02/18 06:00:00 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2007/02/18 06:00:00 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2007/02/18 06:00:00 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2007/02/18 06:00:00 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2007/02/18 06:00:00 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\dllcache\scecli.dll
[2007/02/18 06:00:00 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:06 AM

Posted 05 February 2010 - 03:18 PM

Ok, let me know so we can cleanup our work smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 Ken Wald

Ken Wald
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 08 February 2010 - 10:09 PM

Came back to the computer after the weekend, and it was still logged in meaning no self reboot. thumbup.gif

I haven't had any random pop-up tabs in Firefox, and Google searches are working fine. It seems that the computer is okay.

Again, thank you for everything. What do suppose it was infected with?







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users