Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE HELP!!! Infected From Rogue Software - Security Essentials


  • This topic is locked This topic is locked
22 replies to this topic

#1 Olga Gierowitz

Olga Gierowitz

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 28 February 2010 - 09:20 PM

This is my final attempt to get help before reformatting the drive, which will really harm my small business since I have many essential programs running on my computer. PLEASE HELP, as I have been ignored at another forum, and could not get any help and desperately need it.

My computer was recently infected with Security Essential Rogue Spyware Software, that included Antimalware Doctor. With it came a variety of nasty Malware.

I ran Avast, MalwareBytes and BitDefender which had cleaned up several Trojans that were created from that infection and I also was able to remove Security Essentials and Antimalware Doctor programs using rkill to stop the process and deleting the exe files.

The pop ups that kept coming from Security Essentials and Antimalware Doctor have stopped and I think that program has been eradicated, But, I am still badly infected with something that neither Avast. MalwareBytes nor Bitdefender is detecting, all scans are running clean, BUT, I am still having major issues.

Symptoms: The main problem now is that when I surf the web, I am getting redirected to bad sites, when I click on websites from Google search result pages, when I click on them, especially anything related to Malware removal, I am redirected to some phishing, attack or advertising sites.

A virus seems to be blocking Windows Update from running, or from me even accessing that website itself, all I am getting is an error page.

Also, I tried to download Spybot and Comodo Firewall and that is being blocked from running on my PC. Bit Defender runs a scan, but updates are being blocked, and also updates to PC Tools Antispyware program are being blocked. I was able to run the PC Tools free firewall.


I was able to run all the current logs asked for by this forum, expect a current GMER. I had ran one previous to Avast quarantining some items, but when I tried to run it now, Windows is going to a blue screen, telling me WINDOWS FATAL ERROR and DUMP OF PHYSICAL MEMORY, WINDOWS HAS ENCOUNTERED A PROBLEM and it lists some FILE NUMBERS, this happened twice when I tried to run GMER today.

So I am posting the only GMER that I have, which is the one I ran previous to Avast and Malware Bytes getting rid of Rogue Spyware - Thank You for Any Help

CURRENT DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by Captain at 17:06:19.46 on Sun 02/28/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.53 [GMT -8:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\M-Audio Audiophile USB\Dmn\ma003dmn.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Captain\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyServer = 255.255.0.255:80
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [Evozawumiforawum] rundll32.exe "c:\windows\emobumeru.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ma003dmn.lnk - c:\program files\m-audio audiophile usb\dmn\ma003dmn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: NameServer = 93.188.164.118,93.188.166.52
TCP: {DB5C73CD-A8F1-466B-8718-FEFD62518EFE} = 93.188.164.118,93.188.166.52

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\captain\applic~1\mozilla\firefox\profiles\eu20joj4.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: XULRunner: {FB7CE0EA-CC60-4199-9D24-890DDE80D552} - c:\documents and settings\captain\local settings\application data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-10-14 162512]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-2-23 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-22 40384]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-2-23 88040]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-22 40384]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-4-15 144648]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-2-23 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-2-23 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-2-23 115216]

=============== Created Last 30 ================

2010-03-01 01:05:46 0 ----a-w- c:\documents and settings\captain\defogger_reenable
2010-02-25 19:11:27 0 d-----w- c:\windows\system32\LogFiles
2010-02-24 20:26:29 81984 ----a-w- c:\windows\system32\bdod.bin
2010-02-24 18:53:16 850 ----a-w- c:\windows\system32\ProductTweaks.xml
2010-02-24 18:53:16 385 ----a-w- c:\windows\system32\user_gensett.xml
2010-02-24 18:48:25 0 d-----w- c:\docume~1\captain\applic~1\BitDefender
2010-02-24 18:47:22 0 d-----w- c:\program files\BitDefender
2010-02-24 18:47:22 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-02-24 18:45:20 0 d-----w- c:\program files\common files\BitDefender
2010-02-24 07:34:18 0 d-----w- c:\windows\pss
2010-02-24 06:43:05 0 d-----w- c:\docume~1\captain\applic~1\PCToolsFirewallPlus
2010-02-24 06:39:14 7435 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.cat
2010-02-24 06:39:14 7399 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.cat
2010-02-24 06:39:14 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-02-24 06:39:14 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-02-24 06:39:14 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-02-24 06:39:10 7383 ----a-w- c:\windows\system32\drivers\pctplfw.cat
2010-02-24 06:39:09 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-02-24 06:39:01 0 d-----w- c:\program files\PC Tools Firewall Plus
2010-02-24 06:35:07 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-24 06:35:06 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-24 06:34:23 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-24 06:34:23 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-24 06:34:23 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-24 06:34:23 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-24 06:33:05 0 d-----w- c:\program files\common files\PC Tools
2010-02-24 05:01:34 0 d-----w- c:\program files\ATS2
2010-02-24 04:09:02 0 d-----w- c:\windows\system32\appmgmt
2010-02-24 03:10:31 1464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-24 01:50:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-02-24 01:48:30 0 d-----w- c:\program files\common files\iS3
2010-02-24 01:48:25 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-02-23 02:23:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-22 23:48:34 0 d-----w- c:\program files\Trend Micro
2010-02-22 20:25:22 0 ----a-w- c:\windows\system32\ES15.exe
2010-02-22 19:50:48 0 ----a-w- c:\windows\system32\41.exe
2010-02-19 23:02:39 120 ----a-w- c:\windows\Kyuxocig.dat
2010-02-19 23:02:39 0 ----a-w- c:\windows\Pzecobit.bin
2010-02-19 23:01:01 0 d-----w- c:\program files\Securityessentials2010
2010-02-19 22:58:55 0 ----a-w- c:\windows\system32\helpers32.dll
2010-02-19 22:58:47 0 d-----w- c:\docume~1\captain\applic~1\3F8365D59E9F7EE43B4F15EC1B15434C
2010-02-03 06:36:36 0 d-----w- c:\program files\eLicenser
2010-02-02 05:25:31 379488 ----a-w- c:\windows\system32\drivers\wg111nd5.sys
2010-02-02 05:25:30 61440 ----a-w- c:\windows\system32\W32N50.dll
2010-02-02 05:25:29 16292 ----a-w- c:\windows\system32\PCANDIS5.SYS
2010-02-02 05:25:29 15577 ----a-w- c:\windows\system32\PCANDIS3.VXD
2010-02-02 04:45:32 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-02-02 04:45:17 266240 ----a-w- c:\windows\system32\WG1v2lib.dll
2010-01-31 05:52:44 0 d-----w- c:\program files\Quake III Arena
2010-01-31 03:13:28 86016 ----a-w- c:\windows\unvise32.exe

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 01:35:05 724992 ----a-w- c:\windows\iun6002.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
1998-12-09 01:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 01:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 01:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 01:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 01:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 01:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 17:08:31.93 ===============

GMER




Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 06 March 2010 - 05:05 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic,


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 10 March 2010 - 07:09 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 17 March 2010 - 09:58 AM

Topic reopened at OP request

unite.jpg


#5 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 17 March 2010 - 04:33 PM

Thank you so much for reopening and helping.

Here are the logs you requested

OTL LOG

OTL logfile created on: 3/17/2010 2:21:29 PM - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Documents and Settings\Captain\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 66.00 Mb Available Physical Memory | 26.00% Memory free
734.00 Mb Paging File | 505.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 21.27 Gb Free Space | 57.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CAPTAIN-56248DE
Current User Name: Captain
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/17 14:14:52 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Captain\Desktop\OTL.exe
PRC - [2010/02/18 13:20:00 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/11 11:53:42 | 002,756,488 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/01/12 12:41:00 | 003,168,216 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
PRC - [2010/01/04 12:36:28 | 002,893,624 | ---- | M] (Mozy, Inc.) -- C:\Program Files\MozyHome\mozystat.exe
PRC - [2009/12/25 18:35:05 | 000,053,248 | ---- | M] (Nemesis) -- C:\Program Files\M-Audio Audiophile USB\Dmn\ma003dmn.exe
PRC - [2009/11/09 12:20:14 | 000,818,432 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FWService.exe
PRC - [2008/04/14 02:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/17 14:14:52 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Captain\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/09 12:20:14 | 000,818,432 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Firewall Plus\FWService.exe -- (PCToolsFirewallPlus)


========== Driver Services (SafeList) ==========

DRV - [2010/02/11 11:42:34 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/02/11 11:42:13 | 000,162,512 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/02/11 11:39:01 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/02/11 11:38:34 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/02/11 11:38:23 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/02/11 11:38:07 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/02/05 10:17:56 | 000,233,136 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/01/13 09:59:28 | 000,115,216 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctplfw.sys -- (pctplfw)
DRV - [2010/01/12 10:34:14 | 000,070,664 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys -- (PCTFW-PacketFilter)
DRV - [2010/01/07 12:35:06 | 000,058,816 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis.sys -- (pctNDIS)
DRV - [2009/11/23 14:54:20 | 000,088,040 | ---- | M] (PC Tools) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PCTAppEvent.sys -- (PCTAppEvent)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 15:29:28 | 000,327,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001/08/17 05:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 05:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 255.255.0.255:80

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {FB7CE0EA-CC60-4199-9D24-890DDE80D552}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}: C:\Documents and Settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552} [2010/02/19 16:02:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/11 21:58:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 13:20:20 | 000,000,000 | ---D | M]

[2009/09/11 19:13:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Captain\Application Data\Mozilla\Extensions
[2009/09/11 19:13:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Captain\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/01/01 20:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Captain\Application Data\Mozilla\Firefox\Profiles\eu20joj4.default\extensions
[2010/03/16 19:28:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [00PCTFW] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [Evozawumiforawum] C:\WINDOWS\emobumeru.DLL File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA003DMN.LNK = C:\Program Files\M-Audio Audiophile USB\Dmn\ma003dmn.exe (Nemesis)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1614895754-1767777339-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.9.127.107 68.116.46.115 24.205.192.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.118,93.188.166.52
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Captain\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Captain\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/27 16:42:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/09/27 16:41:54 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/17 14:14:51 | 000,556,032 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Captain\Desktop\OTL.exe
[2010/03/13 19:48:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\My Documents\BETTER CALL DA COPS_data
[2010/03/13 00:19:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT131_data
[2010/03/04 22:28:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT2_data
[2010/03/04 22:26:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\My Documents\weed beat4_data
[2010/03/04 22:22:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT19_data
[2010/03/04 22:21:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT_data
[2010/03/01 12:52:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/01 12:52:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/01 12:52:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/01 12:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/01 11:55:35 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/03/01 11:30:09 | 000,000,000 | ---D | C] -- C:\Program Files\MozyHome
[2010/03/01 11:26:16 | 009,758,584 | ---- | C] (Mozy, Inc.) -- C:\Documents and Settings\Captain\Desktop\mozy-1_16_4_0-9388.exe
[2010/02/25 12:11:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/02/24 11:47:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2010/02/24 11:45:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[2010/02/24 00:34:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/23 23:43:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\Application Data\PCToolsFirewallPlus
[2010/02/23 23:39:14 | 000,070,664 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.sys
[2010/02/23 23:39:14 | 000,058,816 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis.sys
[2010/02/23 23:39:14 | 000,032,680 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-DNS.sys
[2010/02/23 23:39:09 | 000,115,216 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplfw.sys
[2010/02/23 23:39:01 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Firewall Plus
[2010/02/23 23:35:06 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/23 23:34:56 | 010,702,992 | ---- | C] ( ) -- C:\Documents and Settings\Captain\Desktop\fwinstall.exe
[2010/02/23 23:34:23 | 000,207,792 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/02/23 23:34:23 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/02/23 23:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/23 23:29:23 | 034,868,704 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Captain\Desktop\sdsetup.exe
[2010/02/23 23:12:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/02/23 22:01:34 | 000,000,000 | ---D | C] -- C:\Program Files\ATS2
[2010/02/23 21:09:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/02/23 19:51:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/02/23 19:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/02/23 18:50:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/02/23 18:48:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/02/23 18:48:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/02/22 19:23:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/02/22 18:48:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\Local Settings\Application Data\Threat Expert
[2010/02/22 16:48:34 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/22 16:47:43 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Captain\Desktop\HJTsetup.exe
[2010/02/22 16:26:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\Desktop\LOGS FOR VIRUSES
[2010/02/19 16:02:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}
[2010/02/19 15:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Captain\Application Data\3F8365D59E9F7EE43B4F15EC1B15434C
[1998/12/08 18:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 18:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 18:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 18:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 18:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 18:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/17 14:14:52 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Captain\Desktop\OTL.exe
[2010/03/17 14:06:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/17 14:06:11 | 000,000,290 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/17 14:06:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/17 14:06:00 | 000,000,822 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA003DMN.LNK
[2010/03/17 14:05:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/17 14:05:49 | 267,468,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/17 12:24:52 | 004,456,448 | ---- | M] () -- C:\Documents and Settings\Captain\ntuser.dat
[2010/03/17 12:24:52 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Captain\ntuser.ini
[2010/03/16 19:39:45 | 000,458,294 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\LazySnake_1_0_3.zip
[2010/03/16 18:51:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/15 18:16:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2010/03/14 14:02:18 | 000,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 14:02:18 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 14:02:18 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/13 19:48:26 | 000,014,580 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\BETTER CALL DA COPS.aup
[2010/03/13 16:02:37 | 000,012,159 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT131.aup
[2010/03/13 01:43:30 | 000,009,917 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\BANGER BEAT8.aup
[2010/03/13 00:19:41 | 000,012,159 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT131.aup.bak
[2010/03/12 00:44:42 | 001,615,072 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_101224_23935_105bpm7.wav
[2010/03/12 00:40:23 | 002,228,384 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_213464_24577_Rida Lead 1.wav
[2010/03/12 00:32:20 | 000,678,526 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_140333_25579_Zay Synth 2.wav
[2010/03/12 00:21:15 | 000,962,228 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_187226_27353_krunk juice synth lead 88.wav
[2010/03/12 00:14:56 | 002,822,440 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_159051_26987_Let me die for you - Strings.wav
[2010/03/11 23:53:33 | 002,729,956 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_139050_27604_124_TT_PIANO_CHORDZ.wav
[2010/03/11 23:45:37 | 002,118,356 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_278505_23662_15.wav
[2010/03/11 23:40:14 | 000,848,000 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_237471_26778_JZI Viola Spiccato.wav
[2010/03/11 23:38:54 | 002,420,164 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_237471_26514_mot violin.wav
[2010/03/11 23:37:13 | 003,078,992 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_159051_26709_Orchestral Love.wav
[2010/03/11 23:25:17 | 001,560,676 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_270020_25388_RnB 10.wav
[2010/03/11 23:23:36 | 000,392,104 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_274163_25394_A Maj7 bpm 108 2.wav
[2010/03/11 23:21:25 | 000,392,104 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_274163_25395_A Maj7 bpm 108 3.wav
[2010/03/11 23:18:45 | 002,893,930 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_270020_25542_Hip Hop Em.wav
[2010/03/11 23:16:21 | 001,412,592 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_187569_25591_Classical Guitar 3.wav
[2010/03/11 23:10:21 | 001,045,380 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_187226_25924_mr. guy guitar 81.wav
[2010/03/11 23:06:47 | 000,705,696 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_57687_26272_LumaTouch_1_Guitar_D_to_G_120_.wav
[2010/03/11 23:00:56 | 001,512,104 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_189474_27113_simple Acoustic 140 bpm.wav
[2010/03/11 22:46:52 | 002,143,772 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_25146_Moving On Brass and Underpad.wav
[2010/03/11 22:45:22 | 002,288,608 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_25147_No Worries Brass.wav
[2010/03/11 22:42:43 | 002,419,376 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_26094_Submission Brass.wav
[2010/03/11 22:39:16 | 002,228,388 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_26100_say what brass.wav
[2010/03/11 22:07:48 | 001,065,330 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\sample.wav
[2010/03/07 20:37:42 | 000,740,379 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\dirty south beat3.mp3
[2010/03/05 13:46:44 | 003,074,891 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\deven+laxfreedownload.mp3
[2010/03/04 22:28:37 | 000,005,103 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT2.aup
[2010/03/04 22:28:10 | 001,660,934 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT2.mp3
[2010/03/04 22:26:06 | 000,006,893 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\weed beat4.aup
[2010/03/04 22:22:56 | 000,008,142 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT19.aup
[2010/03/04 22:21:10 | 000,011,743 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT.aup
[2010/03/04 22:07:38 | 002,656,651 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT19.mp3
[2010/03/02 14:02:39 | 002,330,713 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\weed beat4.mp3
[2010/03/01 11:56:29 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2010/03/01 11:30:41 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
[2010/03/01 11:26:43 | 009,758,584 | ---- | M] (Mozy, Inc.) -- C:\Documents and Settings\Captain\Desktop\mozy-1_16_4_0-9388.exe
[2010/02/28 18:05:46 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Captain\defogger_reenable
[2010/02/24 22:33:25 | 004,218,844 | ---- | M] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT.mp3
[2010/02/24 13:08:47 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Kyuxocig.dat
[2010/02/24 11:04:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pzecobit.bin
[2010/02/24 00:46:31 | 000,000,689 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/24 00:46:31 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/24 00:46:31 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/02/23 23:35:29 | 010,702,992 | ---- | M] ( ) -- C:\Documents and Settings\Captain\Desktop\fwinstall.exe
[2010/02/23 23:30:36 | 034,868,704 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Captain\Desktop\sdsetup.exe
[2010/02/23 23:16:55 | 006,383,900 | -H-- | M] () -- C:\Documents and Settings\Captain\Local Settings\Application Data\IconCache.db
[2010/02/23 21:03:44 | 006,514,881 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\ats2.exe
[2010/02/23 20:13:20 | 000,001,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/02/22 19:25:16 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/22 19:25:14 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/22 19:19:08 | 044,696,968 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\setup_av_free.exe
[2010/02/22 16:48:35 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\HijackThis.lnk
[2010/02/22 16:47:44 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Captain\Desktop\HJTsetup.exe
[2010/02/22 16:21:24 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\gmer.zip
[2010/02/22 16:20:10 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\dds.scr
[2010/02/22 16:17:12 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\Defogger.exe
[2010/02/22 13:25:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2010/02/22 13:25:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\helpers32.dll
[2010/02/22 13:25:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\ES15.exe
[2010/02/19 19:32:12 | 000,363,008 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\iExplore.exe
[2010/02/19 19:29:58 | 000,363,008 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\rkill.com
[2010/02/19 17:14:58 | 000,021,904 | ---- | M] () -- C:\Documents and Settings\Captain\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/18 21:15:15 | 032,546,528 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\DSK_Strings.zip
[2010/02/17 15:23:48 | 000,260,016 | ---- | M] () -- C:\Documents and Settings\Captain\Desktop\WarbeatsLM_warbeats.com_.zip
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/16 19:39:37 | 000,458,294 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\LazySnake_1_0_3.zip
[2010/03/13 19:48:26 | 000,014,580 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\BETTER CALL DA COPS.aup
[2010/03/13 00:19:41 | 000,012,159 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT131.aup.bak
[2010/03/13 00:19:41 | 000,012,159 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT131.aup
[2010/03/12 00:44:40 | 001,615,072 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_101224_23935_105bpm7.wav
[2010/03/12 00:40:14 | 002,228,384 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_213464_24577_Rida Lead 1.wav
[2010/03/12 00:32:10 | 000,678,526 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_140333_25579_Zay Synth 2.wav
[2010/03/12 00:21:14 | 000,962,228 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_187226_27353_krunk juice synth lead 88.wav
[2010/03/12 00:14:39 | 002,822,440 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_159051_26987_Let me die for you - Strings.wav
[2010/03/11 23:53:20 | 002,729,956 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_139050_27604_124_TT_PIANO_CHORDZ.wav
[2010/03/11 23:45:29 | 002,118,356 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_278505_23662_15.wav
[2010/03/11 23:40:11 | 000,848,000 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_237471_26778_JZI Viola Spiccato.wav
[2010/03/11 23:38:43 | 002,420,164 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_237471_26514_mot violin.wav
[2010/03/11 23:36:57 | 003,078,992 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_159051_26709_Orchestral Love.wav
[2010/03/11 23:25:12 | 001,560,676 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_270020_25388_RnB 10.wav
[2010/03/11 23:23:34 | 000,392,104 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_274163_25394_A Maj7 bpm 108 2.wav
[2010/03/11 23:21:25 | 000,392,104 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_274163_25395_A Maj7 bpm 108 3.wav
[2010/03/11 23:18:30 | 002,893,930 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_270020_25542_Hip Hop Em.wav
[2010/03/11 23:16:15 | 001,412,592 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_187569_25591_Classical Guitar 3.wav
[2010/03/11 23:10:18 | 001,045,380 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_187226_25924_mr. guy guitar 81.wav
[2010/03/11 23:06:46 | 000,705,696 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_57687_26272_LumaTouch_1_Guitar_D_to_G_120_.wav
[2010/03/11 23:00:50 | 001,512,104 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_189474_27113_simple Acoustic 140 bpm.wav
[2010/03/11 22:46:45 | 002,143,772 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_25146_Moving On Brass and Underpad.wav
[2010/03/11 22:45:14 | 002,288,608 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_25147_No Worries Brass.wav
[2010/03/11 22:42:29 | 002,419,376 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_26094_Submission Brass.wav
[2010/03/11 22:39:01 | 002,228,388 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\looperman_219480_26100_say what brass.wav
[2010/03/11 22:07:48 | 001,065,330 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\sample.wav
[2010/03/07 20:36:21 | 000,740,379 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\dirty south beat3.mp3
[2010/03/04 22:28:37 | 000,005,103 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT2.aup
[2010/03/04 22:26:06 | 000,006,893 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\weed beat4.aup
[2010/03/04 22:25:08 | 001,660,934 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT2.mp3
[2010/03/04 22:22:56 | 000,008,142 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT19.aup
[2010/03/04 22:21:10 | 000,011,743 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT.aup
[2010/03/04 14:29:56 | 002,656,651 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\WESTCOAST BEAT19.mp3
[2010/03/02 00:36:25 | 002,330,713 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\weed beat4.mp3
[2010/03/01 11:30:40 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
[2010/02/28 18:05:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Captain\defogger_reenable
[2010/02/24 21:48:17 | 004,218,844 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\DIRTY SOUTH BEAT.mp3
[2010/02/24 13:26:29 | 000,081,984 | ---- | C] () -- C:\WINDOWS\System32\bdod.bin
[2010/02/24 00:47:48 | 267,468,800 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/23 23:39:14 | 000,007,435 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.cat
[2010/02/23 23:39:14 | 000,007,399 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctNdis-DNS.cat
[2010/02/23 23:39:10 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplfw.cat
[2010/02/23 23:35:07 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/02/23 23:34:23 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/02/23 23:34:23 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/02/23 21:03:08 | 006,514,881 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\ats2.exe
[2010/02/23 20:10:31 | 000,001,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/02/23 19:54:37 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/22 19:25:16 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/22 19:17:20 | 044,696,968 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\setup_av_free.exe
[2010/02/22 16:48:35 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\HijackThis.lnk
[2010/02/22 16:21:23 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\gmer.zip
[2010/02/22 16:20:08 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\dds.scr
[2010/02/22 16:17:03 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\Defogger.exe
[2010/02/22 13:25:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ES15.exe
[2010/02/22 12:50:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2010/02/19 19:32:10 | 000,363,008 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\iExplore.exe
[2010/02/19 19:29:55 | 000,363,008 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\rkill.com
[2010/02/19 18:46:32 | 006,220,516 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of Lil Wayne - Every Girl (feat. Drake & Young Money).mp3
[2010/02/19 18:46:31 | 002,803,840 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy (2) of Kayne West ft. Mos Def - Two Words(1).mp3
[2010/02/19 18:46:29 | 006,608,087 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy (2) of Jay-Z f. Kanye West, Rhianna - Run This Town.mp3
[2010/02/19 18:46:28 | 006,138,998 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of Jay-Z - DOA.mp3
[2010/02/19 18:46:28 | 002,990,566 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy (2) of GANSTA BEAT10.mp3
[2010/02/19 18:46:28 | 001,416,951 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy (2) of GANSTA BEAT11.mp3
[2010/02/19 18:46:28 | 000,163,248 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy (2) of G3.wav
[2010/02/19 18:46:27 | 001,887,676 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of DEEP BEAT8.mp3
[2010/02/19 18:46:27 | 001,094,251 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of flasing light remix.mp3
[2010/02/19 18:46:27 | 000,286,734 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of Copy of gt6.wav
[2010/02/19 18:44:21 | 006,608,087 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of Jay-Z f. Kanye West, Rhianna - Run This Town.mp3
[2010/02/19 18:44:20 | 002,990,566 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of GANSTA BEAT10.mp3
[2010/02/19 18:44:20 | 001,416,951 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of GANSTA BEAT11.mp3
[2010/02/19 18:44:20 | 000,163,248 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of G3.wav
[2010/02/19 18:44:19 | 002,803,840 | ---- | C] () -- C:\Documents and Settings\Captain\My Documents\Copy of Kayne West ft. Mos Def - Two Words(1).mp3
[2010/02/19 16:02:39 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Kyuxocig.dat
[2010/02/19 16:02:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pzecobit.bin
[2010/02/19 15:59:20 | 000,000,290 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/02/19 15:58:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\helpers32.dll
[2010/02/18 21:13:32 | 032,546,528 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\DSK_Strings.zip
[2010/02/17 15:23:46 | 000,260,016 | ---- | C] () -- C:\Documents and Settings\Captain\Desktop\WarbeatsLM_warbeats.com_.zip
[2010/01/16 16:03:44 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\msvcsv60.dll
[2008/09/27 17:54:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/27 17:54:08 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/09/27 17:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[1999/01/22 10:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 02:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 02:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 21:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 21:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 16:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/03 16:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 02:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 02:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 21:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 21:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 02:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 02:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/04/25 08:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 02:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 02:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2005/05/17 15:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2005/05/17 15:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: PROQUOTA.EXE >
[2004/08/04 05:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
[2008/04/14 02:42:34 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe
[2008/04/14 02:42:34 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 02:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 02:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


EXTRAS.TXT

OTL Extras logfile created on: 3/17/2010 2:21:29 PM - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Documents and Settings\Captain\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 66.00 Mb Available Physical Memory | 26.00% Memory free
734.00 Mb Paging File | 505.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 21.27 Gb Free Space | 57.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CAPTAIN-56248DE
Current User Name: Captain
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1614895754-1767777339-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)
"C:\Program Files\AVS4YOU\Registration.exe" = C:\Program Files\AVS4YOU\Registration.exe:*:Enabled:Activation -- (Online Media Technologies Ltd.)
"C:\Q3Ademo\quake3.exe" = C:\Q3Ademo\quake3.exe:*:Enabled:quake3 -- File not found
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{348CE492-86E7-4594-9051-2F3DCE39463F}" = V-Station demo
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{86B77B5A-B157-6386-37B0-DB2494DEEAFF}" = MozyHome Remote Backup
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ASIO4ALL" = ASIO4ALL
"Audacity_is1" = Audacity 1.2.6
"avast5" = avast! Free Antivirus
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"Collab" = Collab
"ExpressBurn" = Express Burn
"FL Studio 8" = FL Studio 8
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IL Download Manager" = IL Download Manager
"Live 6.0.1" = Live 6.0.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Tools Firewall Plus" = PC Tools Firewall Plus 6.0
"PoiZone" = PoiZone
"Quake 3 Arena Demo" = Quake 3 Arena Demo
"RA3" = Rocket Arena 3 1.76 (remove only)
"rgc:audio z3ta+ VSTi_is1" = rgc:audio z3ta+ VSTi v1.4 DEMO
"Rob Papen Albino 3 Demo" = Rob Papen Albino 3 Demo
"Rob Papen BLUE Version 1.8.0_is1" = Rob Papen BLUE Version 1.8.5d
"Toxic Biohazard" = Toxic Biohazard
"USBAudiophile" = Audiophile USB 1.5.4.15
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/22/2010 11:07:37 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:37 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:37 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:38 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:38 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:38 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:39 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:39 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:39 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2010 11:07:40 PM | Computer Name = CAPTAIN-56248DE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 3/1/2010 2:43:41 PM | Computer Name = CAPTAIN-56248DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service VSS with arguments
"" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}

Error - 3/3/2010 2:16:02 PM | Computer Name = CAPTAIN-56248DE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/5/2010 4:37:44 PM | Computer Name = CAPTAIN-56248DE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/6/2010 9:22:37 PM | Computer Name = CAPTAIN-56248DE | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 e43acb00, parameter2 00000002, parameter3
00000000, parameter4 804f435b.

Error - 3/6/2010 9:23:08 PM | Computer Name = CAPTAIN-56248DE | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3
00000000, parameter4 804f435e.

Error - 3/6/2010 9:23:12 PM | Computer Name = CAPTAIN-56248DE | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 ff8cc000, parameter2 00000002, parameter3
00000000, parameter4 f4bf637b.

Error - 3/7/2010 4:37:40 PM | Computer Name = CAPTAIN-56248DE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/11/2010 8:36:35 PM | Computer Name = CAPTAIN-56248DE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/13/2010 8:36:36 PM | Computer Name = CAPTAIN-56248DE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/15/2010 8:36:37 PM | Computer Name = CAPTAIN-56248DE | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >




#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 17 March 2010 - 04:40 PM

Hi,

It looks like you have some nasty malware there, lets see if this tool can take it out.

Please download Hitman Pro 3.5 and save it to your Desktop.
  • Double click HitmanPro35.exe and select run.
  • Click Next then accept the licence agreement and click Next again.
  • Hitman Pro will now scan your computer.
  • If it finds anything in the scan results click Next.
  • You will then be asked for product activation, select Activate free licence then ok.
  • Click Next and if asked to delete on reboot, click Next again then Reboot.
Note: This scanner won't produce a log so if it finds anything please note it down and post in in your reply.

unite.jpg


#7 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 17 March 2010 - 05:15 PM

Okay scan completed, and this was found:

atapi.sys - ROOTKIT in c:\WINDOWS\SYSTEM32\DRIVERS

AND

Usafe DNS Server Address 93.188.164.118
This network connection is using a blacklisted DNS server address

The Hitman first repaired the DNS issue and then said to reboot to remove the Rootkit, which I did, upon reboot I got a message from Windows saying that it just recovered from a major system problem, but had an error which caused the Hitman which was trying to do another scan on reboot to crash,
I asked for an error file and it;s here: http://wer.microsoft.com/responses/Respons...31-42a93eacedf0

Restarted Hitman again without problems and it did not show those issues that it did on the first scan, like the Rootkit and the DNS but now shows:

algo.dll
C:\Program Files\Alwil Software\Avast5\defs\10031700\
There are indications this file is a threat. Hosever, it can also be benign. Contain high amounts of malware related properties. It is potentialy malicious software.

I have not clicked next on the scan, waiting for further instructions





#8 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 17 March 2010 - 11:15 PM

FYI - I am noticing a marked improvement in the performance of my computer, no noticeable redirects while online, was able to download and install Spybot, which I could not do before and also was able to access Windows Updates, which were also being blocked before.

Still have not exited or done any further action with the Hitman, as per my previous post, waiting further instructions on what was last found by that superb software.

Thanks

#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 18 March 2010 - 01:16 PM

Hi,

You should leave the other file that Hitman found alone, it looks to be connected to Avast, please do this next.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#10 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 18 March 2010 - 02:45 PM

I assume I should close all Internet browsers, prior to disabling my virus software? And then once combo fix is done, can I reenable my virus software prior to coming back here to post? Also should I disable my PC TOols firewall as well?

Thanks


SORRY NEVER MIND JUST GOT THE ANSWER IN THE HELP LINK YOU GAVE!

Edited by Olga Gierowitz, 18 March 2010 - 02:59 PM.


#11 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 18 March 2010 - 03:38 PM

HERE IS THE COMBO FIX


ComboFix 10-03-17.07 - Captain 03/18/2010 13:23:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.105 [GMT -7:00]
Running from: c:\documents and settings\Captain\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}
c:\documents and settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}\chrome.manifest
c:\documents and settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}\chrome\content\_cfg.js
c:\documents and settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}\chrome\content\overlay.xul
c:\documents and settings\Captain\Local Settings\Application Data\{FB7CE0EA-CC60-4199-9D24-890DDE80D552}\install.rdf
c:\windows\system32\41.exe
c:\windows\system32\ES15.exe
c:\windows\system32\helpers32.dll
c:\windows\system32\msvcsv60.dll
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-18 00:20 . 2010-03-18 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 00:20 . 2010-03-18 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-17 21:51 . 2010-03-18 20:14 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-17 21:51 . 2010-03-17 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-17 21:51 . 2010-03-17 21:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-01 18:30 . 2010-01-04 19:36 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2010-03-01 18:30 . 2010-03-01 18:30 -------- d-----w- c:\program files\MozyHome
2010-02-25 19:11 . 2010-02-25 19:11 -------- d-----w- c:\windows\system32\LogFiles
2010-02-24 20:26 . 2010-03-01 18:56 81984 ----a-w- c:\windows\system32\bdod.bin
2010-02-24 18:47 . 2010-02-24 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-02-24 18:45 . 2010-03-01 18:57 -------- d-----w- c:\program files\Common Files\BitDefender
2010-02-24 06:43 . 2010-02-24 06:44 -------- d-----w- c:\documents and settings\Captain\Application Data\PCToolsFirewallPlus
2010-02-24 06:39 . 2010-01-12 17:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-02-24 06:39 . 2010-01-07 19:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-02-24 06:39 . 2010-01-07 19:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-02-24 06:39 . 2010-01-13 16:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-02-24 06:39 . 2010-03-18 16:08 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-02-24 06:35 . 2010-02-05 17:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-24 06:34 . 2009-11-23 21:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-24 06:34 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-24 06:33 . 2010-02-24 20:25 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-24 05:01 . 2010-03-01 18:50 -------- d-----w- c:\program files\ATS2
2010-02-24 02:51 . 2010-03-01 18:30 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-24 02:39 . 2010-02-24 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-24 01:50 . 2010-02-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-24 01:48 . 2010-02-24 01:48 -------- d-----w- c:\program files\Common Files\iS3
2010-02-24 01:48 . 2010-02-24 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-23 02:23 . 2010-02-23 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-23 01:48 . 2010-02-23 01:48 -------- d-----w- c:\documents and settings\Captain\Local Settings\Application Data\Threat Expert
2010-02-22 23:48 . 2010-02-22 23:48 -------- d-----w- c:\program files\Trend Micro
2010-02-20 02:35 . 2010-02-20 02:35 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-19 23:02 . 2010-02-24 20:08 120 ----a-w- c:\windows\Kyuxocig.dat
2010-02-19 23:02 . 2010-02-24 18:04 0 ----a-w- c:\windows\Pzecobit.bin
2010-02-19 22:58 . 2010-02-22 20:15 -------- d-----w- c:\documents and settings\Captain\Application Data\3F8365D59E9F7EE43B4F15EC1B15434C

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 20:13 . 2009-01-02 03:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-18 03:22 . 2009-01-02 04:37 -------- d-----w- c:\program files\VstPlugins
2010-03-17 22:01 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-01 20:35 . 2009-01-02 04:41 -------- d-----w- c:\program files\AVS4YOU
2010-03-01 20:23 . 2009-01-02 04:39 -------- d-----w- c:\program files\REAPER
2010-03-01 20:23 . 2009-02-14 19:20 -------- d-----w- c:\program files\NCH Swift Sound
2010-03-01 20:12 . 2009-01-02 04:33 -------- d-----w- c:\program files\Tunafish
2010-03-01 20:11 . 2009-01-02 04:50 -------- d-----w- c:\program files\Moo0
2010-02-24 03:13 . 2010-02-24 03:10 1464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-23 02:28 . 2009-10-14 15:53 -------- d-----w- c:\program files\Alwil Software
2010-02-22 19:54 . 2009-01-02 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:14 . 2008-09-28 00:39 21904 ----a-w- c:\documents and settings\Captain\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 18:53 . 2009-10-14 15:54 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-11 18:53 . 2009-10-14 15:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-11 18:42 . 2009-10-14 15:54 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-11 18:42 . 2009-10-14 15:54 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-11 18:39 . 2009-10-14 15:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-11 18:38 . 2009-10-14 15:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-11 18:38 . 2009-10-14 15:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-11 18:38 . 2009-10-14 15:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-11 18:38 . 2009-10-14 15:54 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-03 06:36 . 2010-02-03 06:36 -------- d-----w- c:\program files\eLicenser
2010-02-02 04:45 . 2010-02-02 04:45 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-31 05:52 . 2010-01-31 05:52 -------- d-----w- c:\program files\Quake III Arena
2010-01-17 03:44 . 2010-01-16 23:03 16 ----a-w- c:\windows\msocreg32.dat
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 01:35 . 2009-12-26 01:44 724992 ----a-w- c:\windows\iun6002.exe
1998-12-09 01:53 . 1998-12-09 01:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 01:53 . 1998-12-09 01:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 01:53 . 1998-12-09 01:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 01:53 . 1998-12-09 01:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 01:53 . 1998-12-09 01:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 01:53 . 1998-12-09 01:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-03-17 5650240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA003DMN.LNK - c:\program files\M-Audio Audiophile USB\Dmn\ma003dmn.exe [2009-12-25 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [2001-4-2 45568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVS4YOU\\Registration.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/14/2009 8:54 AM 162512]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2/23/2010 11:35 PM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/14/2009 8:54 AM 19024]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2/23/2010 11:34 PM 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2/23/2010 11:39 PM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2/23/2010 11:39 PM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2/23/2010 11:39 PM 115216]

--- Other Services/Drivers In Memory ---

*Deregistered* - hitmanpro35
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyServer = 255.255.0.255:80
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Captain\Application Data\Mozilla\Firefox\Profiles\eu20joj4.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Evozawumiforawum - c:\windows\emobumeru.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 13:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-18 13:35:14
ComboFix-quarantined-files.txt 2010-03-18 20:35

Pre-Run: 22,736,547,840 bytes free
Post-Run: 22,944,022,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5B143FC5C7BA852160760D607EBD15A7


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 19 March 2010 - 01:00 PM

Hello,

Can you tell me if you set this proxy setting for IE?

uInternet Settings,ProxyServer = 255.255.0.255:80


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/299307/please-help-infected-from-rogue-software-security-essentials/

Collect::
c:\windows\Kyuxocig.dat
c:\windows\Pzecobit.bin
DirLook::
c:\documents and settings\Captain\Application Data\3F8365D59E9F7EE43B4F15EC1B15434C


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then update Malwarebytes and run a quick scan and post back with combofix.txt and the MBAM log.

Thanks

unite.jpg


#13 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 19 March 2010 - 04:49 PM

Hello,

Yes that was me that added the proxy setting in IE, I have now deleted it, as it was unneseccary, though I did not have it selected anyway, the selection was automaticaly detect proxy settings.

Working on the new logs now

Thanks

#14 Olga Gierowitz

Olga Gierowitz
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 19 March 2010 - 06:19 PM

Hello,

Here are both the logs you asked for:

ComboFix 10-03-19.04 - Captain 03/19/2010 15:04:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.109 [GMT -7:00]
Running from: c:\documents and settings\Captain\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Captain\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

file zipped: c:\windows\Kyuxocig.dat
file zipped: c:\windows\Pzecobit.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Kyuxocig.dat
c:\windows\Pzecobit.bin

.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 00:09 . 2010-03-19 00:16 -------- d-----w- c:\documents and settings\Captain\Application Data\BitDefender
2010-03-19 00:08 . 2010-03-19 00:08 -------- d-----w- C:\Sandbox
2010-03-19 00:08 . 2010-03-19 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-03-19 00:01 . 2009-10-15 02:08 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-03-19 00:01 . 2010-03-19 00:26 -------- d-----w- c:\program files\Comodo
2010-03-19 00:00 . 2010-03-19 00:00 1510584 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe
2010-03-18 23:59 . 2010-03-19 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-03-18 00:20 . 2010-03-18 20:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 00:20 . 2010-03-18 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-17 21:51 . 2010-03-19 00:47 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-17 21:51 . 2010-03-17 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-17 21:51 . 2010-03-17 21:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-04 02:54 . 2010-03-04 02:54 276648 ----a-w- c:\windows\system32\guard32.dll
2010-03-04 02:54 . 2010-03-04 02:54 86720 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-03-04 02:54 . 2010-03-04 02:54 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-03-04 02:54 . 2010-03-04 02:54 214056 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-03-04 02:54 . 2010-03-04 02:54 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-03-01 18:30 . 2010-01-04 19:36 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2010-03-01 18:30 . 2010-03-01 18:30 -------- d-----w- c:\program files\MozyHome
2010-02-25 19:11 . 2010-02-25 19:11 -------- d-----w- c:\windows\system32\LogFiles
2010-02-24 20:26 . 2010-03-01 18:56 81984 ----a-w- c:\windows\system32\bdod.bin
2010-02-24 18:47 . 2010-02-24 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-02-24 18:45 . 2010-03-19 00:17 -------- d-----w- c:\program files\Common Files\BitDefender
2010-02-24 06:33 . 2010-03-19 00:32 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-24 05:01 . 2010-03-01 18:50 -------- d-----w- c:\program files\ATS2
2010-02-24 02:51 . 2010-03-01 18:30 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-24 02:39 . 2010-02-24 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-24 01:50 . 2010-02-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-24 01:48 . 2010-02-24 01:48 -------- d-----w- c:\program files\Common Files\iS3
2010-02-24 01:48 . 2010-02-24 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-23 02:23 . 2010-02-23 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-23 01:48 . 2010-02-23 01:48 -------- d-----w- c:\documents and settings\Captain\Local Settings\Application Data\Threat Expert
2010-02-22 23:48 . 2010-02-22 23:48 -------- d-----w- c:\program files\Trend Micro
2010-02-20 02:35 . 2010-02-20 02:35 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-19 22:58 . 2010-02-22 20:15 -------- d-----w- c:\documents and settings\Captain\Application Data\3F8365D59E9F7EE43B4F15EC1B15434C

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 00:31 . 2009-01-02 03:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-18 03:22 . 2009-01-02 04:37 -------- d-----w- c:\program files\VstPlugins
2010-03-17 22:01 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-01 20:35 . 2009-01-02 04:41 -------- d-----w- c:\program files\AVS4YOU
2010-03-01 20:23 . 2009-01-02 04:39 -------- d-----w- c:\program files\REAPER
2010-03-01 20:23 . 2009-02-14 19:20 -------- d-----w- c:\program files\NCH Swift Sound
2010-03-01 20:12 . 2009-01-02 04:33 -------- d-----w- c:\program files\Tunafish
2010-03-01 20:11 . 2009-01-02 04:50 -------- d-----w- c:\program files\Moo0
2010-02-24 03:13 . 2010-02-24 03:10 1464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-23 02:28 . 2009-10-14 15:53 -------- d-----w- c:\program files\Alwil Software
2010-02-22 19:54 . 2009-01-02 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:14 . 2008-09-28 00:39 21904 ----a-w- c:\documents and settings\Captain\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 18:53 . 2009-10-14 15:54 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-11 18:53 . 2009-10-14 15:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-11 18:42 . 2009-10-14 15:54 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-11 18:42 . 2009-10-14 15:54 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-11 18:39 . 2009-10-14 15:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-11 18:38 . 2009-10-14 15:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-11 18:38 . 2009-10-14 15:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-11 18:38 . 2009-10-14 15:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-11 18:38 . 2009-10-14 15:54 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-03 06:36 . 2010-02-03 06:36 -------- d-----w- c:\program files\eLicenser
2010-02-02 04:45 . 2010-02-02 04:45 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-31 05:52 . 2010-01-31 05:52 -------- d-----w- c:\program files\Quake III Arena
2010-01-17 03:44 . 2010-01-16 23:03 16 ----a-w- c:\windows\msocreg32.dat
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 01:35 . 2009-12-26 01:44 724992 ----a-w- c:\windows\iun6002.exe
1998-12-09 01:53 . 1998-12-09 01:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 01:53 . 1998-12-09 01:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 01:53 . 1998-12-09 01:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 01:53 . 1998-12-09 01:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 01:53 . 1998-12-09 01:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 01:53 . 1998-12-09 01:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Captain\Application Data\3F8365D59E9F7EE43B4F15EC1B15434C ----



((((((((((((((((((((((((((((( SnapShot@2010-03-18_20.30.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-19 21:56 . 2010-03-19 21:56 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
+ 2010-03-19 21:56 . 2010-03-19 21:56 16384 c:\windows\Temp\Perflib_Perfdata_574.dat
+ 2010-03-19 00:06 . 2010-03-19 00:06 3325440 c:\windows\Installer\d24dec.msi
+ 2010-03-19 00:04 . 2010-03-19 00:04 1516544 c:\windows\Installer\d24de8.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 19:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-04 1983760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA003DMN.LNK - c:\program files\M-Audio Audiophile USB\Dmn\ma003dmn.exe [2009-12-25 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [2001-4-2 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVS4YOU\\Registration.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/14/2009 8:54 AM 162512]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/3/2010 7:54 PM 214056]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/3/2010 7:54 PM 25160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/14/2009 8:54 AM 19024]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/12/2010 7:23 PM 148744]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
FF - ProfilePath - c:\documents and settings\Captain\Application Data\Mozilla\Firefox\Profiles\eu20joj4.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 15:12
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-19 15:17:10
ComboFix-quarantined-files.txt 2010-03-19 22:17
ComboFix2.txt 2010-03-18 20:35

Pre-Run: 22,621,593,600 bytes free
Post-Run: 22,589,243,392 bytes free

- - End Of File - - F212AD7BCE3C729AF9BB8F05EEC3ECFF
Upload was successful



Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/19/2010 4:15:40 PM
mbam-log-2010-03-19 (16-15-40).txt

Scan type: Quick Scan
Objects scanned: 118414
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:37 AM

Posted 19 March 2010 - 06:39 PM

Hi that's looking better can you tell me how the computer is running?

You can navigate to the following folder and delete it.

c:\documents and settings\Captain\Application Data\3F8365D59E9F7EE43B4F15EC1B15434C

You haven't updated Malwarebytes to the latest database, please update it untill it says their are no more updates,
then run another scan and post back with the log.


unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users