Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacktool rootkit removed. I think???


  • This topic is locked This topic is locked
30 replies to this topic

#1 borg2020

borg2020

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 24 March 2010 - 12:06 AM

Hi Can someone have a look at my Hijackthis log and tell me if I can remove all the file missing entries and if there is any signs of further infection.
Running win 7 64 bit with webroot antivirus and spysweeper +Symantec antivirus 2010 + malwarebytes free + spybot S & D +avenger +hijackthis.
(Yes I know but I wanted to be sure)

EDIT: I am now sure that I have some level of infection. 2 more scans have brough up this virus http://securityresponse.symantec.com/secur...-99&tabid=3
though there seems to be about 6 hours between infections because I also have clean scans

Thanks in advance for any help you can give.

Attached Files


Edited by borg2020, 24 March 2010 - 04:10 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:08 AM

Posted 25 March 2010 - 04:53 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 25 March 2010 - 05:20 AM

Hi Elise,
Thabnk you so much for your help. I have already run and installed OTL earlier today but have since installed the http://www.eset.com/online-scanner as it seemed to be the next ligical step. Is that an issue?
Here is the log from OTL as requested. I will post the Eset log as soon as it is finished as it is running now.
OTL logfile created on: 3/25/2010 6:40:05 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\admin\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 46.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 833.85 Gb Total Space | 815.68 Gb Free Space | 97.82% Space Free | Partition Type: NTFS
Drive D: | 97.56 Gb Total Space | 85.58 Gb Free Space | 87.72% Space Free | Partition Type: NTFS
Unable to calculate disk information.
F: Drive not present or media not loaded
Drive G: | 465.76 Gb Total Space | 14.21 Gb Free Space | 3.05% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CGAW
Current User Name: admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/25 18:39:33 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
PRC - [2010/03/23 18:43:14 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2009/05/14 14:31:16 | 000,136,080 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
PRC - [2009/05/14 14:31:14 | 000,283,024 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\VPC32.exe
PRC - [2009/05/14 14:30:56 | 001,956,240 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
PRC - [2009/05/14 14:30:44 | 000,031,120 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
PRC - [2009/05/04 15:08:10 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/05/04 15:07:42 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (SafeList) ==========

MOD - [2010/03/25 18:39:33 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
MOD - [2009/07/14 12:15:07 | 000,486,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll
MOD - [2009/07/14 12:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/14 12:41:59 | 000,229,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wwansvc.dll -- (WwanSvc)
SRV:64bit: - [2009/07/14 12:41:56 | 000,202,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbiosrvc.dll -- (WbioSrvc)
SRV:64bit: - [2009/07/14 12:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/14 12:41:56 | 000,163,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\umpo.dll -- (Power)
SRV:64bit: - [2009/07/14 12:41:55 | 000,044,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\themeservice.dll -- (Themes)
SRV:64bit: - [2009/07/14 12:41:54 | 000,065,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sppuinotify.dll -- (sppuinotify)
SRV:64bit: - [2009/07/14 12:41:54 | 000,029,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sensrsvc.dll -- (SensrSvc)
SRV:64bit: - [2009/07/14 12:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/14 12:41:53 | 000,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\pnrpsvc.dll -- (PNRPsvc)
SRV:64bit: - [2009/07/14 12:41:53 | 000,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\pnrpsvc.dll -- (p2pimsvc)
SRV:64bit: - [2009/07/14 12:41:53 | 000,187,904 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\provsvc.dll -- (HomeGroupProvider)
SRV:64bit: - [2009/07/14 12:41:53 | 000,067,072 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\SysNative\RpcEpMap.dll -- (RpcEptMapper)
SRV:64bit: - [2009/07/14 12:41:53 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\pnrpauto.dll -- (PNRPAutoReg)
SRV:64bit: - [2009/07/14 12:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 12:41:18 | 000,231,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\ListSvc.dll -- (HomeGroupListener)
SRV:64bit: - [2009/07/14 12:40:54 | 001,127,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2009/07/14 12:40:28 | 000,314,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp)
SRV:64bit: - [2009/07/14 12:40:28 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\defragsvc.dll -- (defragsvc)
SRV:64bit: - [2009/07/14 12:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/14 12:40:13 | 000,083,968 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\bthserv.dll -- (bthserv)
SRV:64bit: - [2009/07/14 12:40:10 | 000,100,864 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\SysNative\bdesvc.dll -- (BDESVC)
SRV:64bit: - [2009/07/14 12:40:05 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AxInstSv.dll -- (AxInstSV)
SRV:64bit: - [2009/07/14 12:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/14 12:40:01 | 000,032,256 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appidsvc.dll -- (AppIDSvc)
SRV:64bit: - [2009/07/14 12:39:51 | 001,503,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbengine.exe -- (wbengine)
SRV:64bit: - [2009/07/14 12:39:28 | 003,524,608 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\sppsvc.exe -- (sppsvc)
SRV:64bit: - [2009/07/14 12:39:11 | 000,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FXSSVC.exe -- (Fax)
SRV - [2010/03/23 18:43:14 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files (x86)\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/07/14 14:20:14 | 000,000,000 | ---D | M] [On_Demand | Stopped] -- C:\Windows\Vss -- (VSS)
SRV - [2009/07/14 14:20:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2009/07/14 12:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 12:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 07:30:11 | 000,061,056 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2009/06/11 07:39:58 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2009/05/14 14:30:56 | 001,956,240 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/05/14 14:30:44 | 000,031,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2009/05/04 15:07:42 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/05/04 15:07:42 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/09/18 11:57:32 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2006/10/27 00:47:54 | 000,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 44 82 77 49 10 C8 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/03/23 15:15:11 | 000,380,794 | R--- | M]) - C:\Windows\SysNative\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 13115 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files (x86)\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30:64bit: - LSA: Authentication Packages - (ows\S) - File not found
O30 - LSA: Authentication Packages - (ows\S) - File not found
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (ZIPM12.EXE) - File not found
O30:64bit: - LSA: Security Packages - (4}) - File not found
O30:64bit: - LSA: Security Packages - (FEDCBA}) - File not found
O30:64bit: - LSA: Security Packages - (TASSISTANTEXTENSION\) - File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (- (TASSISTANTEXTENSION\) - File not found) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: Ias - C:\Windows\SysNative\ias [2009/07/14 14:20:14 | 000,000,000 | ---D | M]
NetSvcs:64bit: Irmon - C:\Windows\SysNative\irmon.dll (Microsoft Corporation)
NetSvcs:64bit: Wmi - C:\Windows\SysNative\wmi.dll (Microsoft Corporation)
NetSvcs:64bit: Themes - C:\Windows\SysNative\themeservice.dll (Microsoft Corporation)
NetSvcs:64bit: BDESVC - C:\Windows\SysNative\bdesvc.dll (Microsoft Corporation)
NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
NetSvcs: Ias - C:\Windows\SysWOW64\ias.dll (Microsoft Corporation)
NetSvcs: Wmi - C:\Windows\SysWOW64\wmi.dll (Microsoft Corporation)


ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: aux - C:\Windows\SysNative\wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midi - C:\Windows\SysNative\wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: midimapper - C:\Windows\SysNative\midimap.dll (Microsoft Corporation)
Drivers32:64bit: mixer - C:\Windows\SysNative\wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: msacm.imaadpcm - C:\Windows\SysNative\imaadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.l3acm - C:\Windows\SysNative\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.msadpcm - C:\Windows\SysNative\msadp32.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msg711 - C:\Windows\SysNative\msg711.acm (Microsoft Corporation)
Drivers32:64bit: msacm.msgsm610 - C:\Windows\SysNative\msgsm32.acm (Microsoft Corporation)
Drivers32:64bit: vidc.i420 - C:\Windows\SysNative\iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.iyuv - C:\Windows\SysNative\iyuv_32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.mrle - C:\Windows\SysNative\msrle32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.msvc - C:\Windows\SysNative\msvidc32.dll (Microsoft Corporation)
Drivers32:64bit: vidc.uyvy - C:\Windows\SysNative\msyuv.dll (Microsoft Corporation)
Drivers32:64bit: vidc.yuy2 - C:\Windows\SysNative\msyuv.dll (Microsoft Corporation)
Drivers32:64bit: vidc.yvu9 - C:\Windows\SysNative\tsbyuv.dll (Microsoft Corporation)
Drivers32:64bit: vidc.yvyu - C:\Windows\SysNative\msyuv.dll (Microsoft Corporation)
Drivers32:64bit: wave - C:\Windows\SysNative\wdmaud.drv (Microsoft Corporation)
Drivers32:64bit: wavemapper - C:\Windows\SysNative\msacm32.drv (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/03/25 18:39:05 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
[2010/03/25 11:15:46 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2010/03/24 17:03:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0
[2010/03/24 14:40:59 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010/03/23 13:52:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSSOAP
[2010/03/23 13:52:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\MSSoap
[2010/03/23 13:52:00 | 001,563,008 | ---- | C] (Webroot Software, Inc.) -- C:\Windows\WRSetup.dll
[2010/03/23 13:52:00 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Webroot
[2010/03/23 13:52:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Webroot
[2010/03/23 13:52:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Webroot
[2010/03/22 16:10:35 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\ElevatedDiagnostics
[2010/03/22 16:10:27 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Diagnostics
[2010/03/22 09:22:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Works
[2010/03/22 09:21:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2010/03/22 09:21:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2010/03/22 09:21:14 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2010/03/22 09:21:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2010/03/22 09:19:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/03/22 09:19:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 8
[2010/03/22 09:18:13 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Microsoft Help
[2010/03/22 09:18:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2010/03/22 09:18:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2010/03/22 09:17:45 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2010/03/21 14:06:41 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2010/03/21 13:27:59 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2010/03/21 13:27:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/03/21 13:27:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/21 13:27:54 | 000,022,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/03/21 13:27:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/03/21 13:13:40 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/03/21 13:11:10 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2010/03/21 13:08:50 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2010/03/21 12:57:46 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Symantec
[2010/03/21 12:57:20 | 000,172,080 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2010/03/21 12:57:20 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/03/21 12:56:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec
[2010/03/21 12:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/03/21 12:56:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2010/03/21 12:56:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec AntiVirus
[2010/03/21 12:56:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2010/03/20 20:42:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/03/20 20:42:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/03/20 20:35:23 | 000,000,000 | ---D | C] -- C:\downloads
[2010/03/20 20:07:15 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2010/03/20 20:06:56 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/03/20 20:06:51 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2010/03/20 19:27:35 | 000,000,000 | R--D | C] -- C:\Users\admin\Searches
[2010/03/20 19:27:24 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Identities
[2010/03/20 19:27:21 | 000,000,000 | R--D | C] -- C:\Users\admin\Contacts
[2010/03/20 19:27:19 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\VirtualStore
[2010/03/20 19:27:14 | 000,000,000 | --SD | C] -- C:\Users\admin\AppData\Roaming\Microsoft
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Videos
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Saved Games
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Pictures
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Music
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Links
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Favorites
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Downloads
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Documents
[2010/03/20 19:27:14 | 000,000,000 | R--D | C] -- C:\Users\admin\Desktop
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\AppData\Local\Temporary Internet Files
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Templates
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Start Menu
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\SendTo
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Recent
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\PrintHood
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\NetHood
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Documents\My Videos
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Documents\My Pictures
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Documents\My Music
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\My Documents
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Local Settings
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\AppData\Local\History
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Cookies
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\Application Data
[2010/03/20 19:27:14 | 000,000,000 | -HSD | C] -- C:\Users\admin\AppData\Local\Application Data
[2010/03/20 19:27:14 | 000,000,000 | -H-D | C] -- C:\Users\admin\AppData
[2010/03/20 19:27:14 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Temp
[2010/03/20 19:27:14 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Microsoft
[2010/03/20 19:27:14 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Media Center Programs
[2010/03/20 19:27:03 | 000,000,000 | -HSD | C] -- C:\Recovery

========== Files - Modified Within 14 Days ==========

[2010/03/25 18:41:25 | 004,980,736 | -HS- | M] () -- C:\Users\admin\NTUSER.DAT
[2010/03/25 18:39:33 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
[2010/03/25 01:00:08 | 000,001,692 | ---- | M] () -- C:\Windows\tasks\wrSpySweeper_LDA7BA0385B9240759526BBC0F115F411.job
[2010/03/24 11:53:17 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/03/24 11:53:17 | 000,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/03/24 11:53:17 | 000,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/03/24 11:52:02 | 000,014,592 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/24 11:52:02 | 000,014,592 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/24 11:43:37 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/24 11:43:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/24 11:43:23 | 3220,008,960 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/24 01:00:03 | 000,001,692 | ---- | M] () -- C:\Windows\tasks\wrSpySweeper_L9554C89ED844432A9E02142FC0BBDC20.job
[2010/03/23 18:43:12 | 000,002,020 | ---- | M] () -- C:\Users\Public\Desktop\Webroot AntiVirus.lnk
[2010/03/23 18:42:36 | 000,017,264 | ---- | M] () -- C:\Windows\SysNative\SsiEfr.exe
[2010/03/23 18:42:20 | 000,000,164 | ---- | M] () -- C:\Windows\install.dat
[2010/03/23 15:15:11 | 000,380,794 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\HOSTS
[2010/03/23 13:52:44 | 000,000,590 | ---- | M] () -- C:\Windows\win.ini
[2010/03/23 08:35:45 | 000,108,840 | ---- | M] () -- C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/22 10:23:48 | 000,416,024 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/03/21 13:27:58 | 000,001,013 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 13:14:16 | 000,040,251 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2010/03/21 13:14:16 | 000,040,251 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2010/03/21 12:57:24 | 000,172,080 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2010/03/21 12:57:24 | 000,010,583 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2010/03/21 12:57:24 | 000,000,854 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2010/03/20 20:46:53 | 000,380,794 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20100321-125240.backup
[2010/03/20 20:42:09 | 000,001,262 | ---- | M] () -- C:\Users\admin\Desktop\Spybot - Search & Destroy.lnk
[2010/03/20 20:10:24 | 000,524,288 | -HS- | M] () -- C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/03/20 20:10:24 | 000,524,288 | -HS- | M] () -- C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/03/20 20:10:24 | 000,065,536 | -HS- | M] () -- C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/03/20 20:04:44 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/03/20 19:27:14 | 000,000,020 | -HS- | M] () -- C:\Users\admin\ntuser.ini

========== Files Created - No Company Name ==========

[2010/03/24 16:44:57 | 000,001,692 | ---- | C] () -- C:\Windows\tasks\wrSpySweeper_LDA7BA0385B9240759526BBC0F115F411.job
[2010/03/23 18:43:12 | 000,002,020 | ---- | C] () -- C:\Users\Public\Desktop\Webroot AntiVirus.lnk
[2010/03/23 15:15:03 | 000,001,692 | ---- | C] () -- C:\Windows\tasks\wrSpySweeper_L9554C89ED844432A9E02142FC0BBDC20.job
[2010/03/23 13:52:05 | 000,017,264 | ---- | C] () -- C:\Windows\SysNative\SsiEfr.exe
[2010/03/23 13:00:45 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
[2010/03/21 13:27:58 | 000,001,013 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/21 13:08:50 | 3220,008,960 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/21 12:57:20 | 000,010,583 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2010/03/21 12:57:20 | 000,000,854 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2010/03/20 20:42:09 | 000,001,262 | ---- | C] () -- C:\Users\admin\Desktop\Spybot - Search & Destroy.lnk
[2010/03/20 20:04:44 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/03/20 19:27:14 | 004,980,736 | -HS- | C] () -- C:\Users\admin\NTUSER.DAT
[2010/03/20 19:27:14 | 000,524,288 | -HS- | C] () -- C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/03/20 19:27:14 | 000,524,288 | -HS- | C] () -- C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/03/20 19:27:14 | 000,065,536 | -HS- | C] () -- C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/03/20 19:27:14 | 000,000,020 | -HS- | C] () -- C:\Users\admin\ntuser.ini
[2009/11/06 12:00:28 | 000,031,088 | ---- | C] () -- C:\Windows\SysWow64\wrLZMA.dll
[2009/07/14 10:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/14 08:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini

========== LOP Check ==========

[2009/07/14 16:08:49 | 000,003,880 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/24 01:00:03 | 000,001,692 | ---- | M] () -- C:\Windows\Tasks\wrSpySweeper_L9554C89ED844432A9E02142FC0BBDC20.job
[2010/03/25 01:00:08 | 000,001,692 | ---- | M] () -- C:\Windows\Tasks\wrSpySweeper_LDA7BA0385B9240759526BBC0F115F411.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/14 12:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\dxtmsft.dll
[2009/07/14 12:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\dxtrans.dll
[2009/07/14 12:15:28 | 000,186,368 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\SysWOW64\iepeers.dll
[2009/11/06 12:00:28 | 000,031,088 | ---- | M] () Unable to obtain MD5 -- C:\Windows\SysWOW64\wrLZMA.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/14 12:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/14 12:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 12:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/14 12:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 12:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/14 12:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/14 12:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/14 12:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 12:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 12:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 12:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/14 12:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/14 12:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/14 12:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/14 12:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 12:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 12:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/14 12:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/14 12:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/14 12:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >

< >

< >
< End of report >



Many thanks.
I suspect that you kind of rock!

#4 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 25 March 2010 - 05:45 AM

Hi Elise,
Further to my last post the ESET online san just finished and this is what it found. G drive BTW is a drive I am trying to recover data from and not the boot hard disk. I note also that all the infections found were in a backup folder that came from another computer and have never been accessed or used on this system.

beow is the ESET log.

Thanks again.

G:\Downloads\Dr Suess Reading Games.iso Win32/Adware.DSSAgent application deleted - quarantined
G:\Downloads\documents and settings\outlook backup\Deleted Items.dbx multiple threats unable to clean
G:\Downloads\documents and settings\outlook backup\Inbox.bak multiple threats unable to clean
G:\Downloads\documents and settings\outlook backup\Inbox.dbx multiple threats unable to clean
G:\Downloads\documents and settings\outlook backup\Mail\Folder3.mbx Win32/Joke.SlipperyMouse.A application unable to clean

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:08 AM

Posted 25 March 2010 - 05:55 AM

Hello again,

There was no reason for the custom scan you did smile.gif
However, I would like to see extra.txt produced by OTL.

The ESET results indicate you have infected email backups. Best would be to go through all email folders and delete anything you are not sure of (unknown senders, suspicious attachments..). If this is only the backup, I'd say just delete it and make a new one.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 25 March 2010 - 06:30 AM

Here is the extra.txt you asked for. Sorry for not already providing it.\

Already have malewarebytes installed but it shows nothing. I also did as you indicated below regarding the install as it seemed logical at the time.

OTL Extras logfile created on: 3/25/2010 6:40:05 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\admin\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 46.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 833.85 Gb Total Space | 815.68 Gb Free Space | 97.82% Space Free | Partition Type: NTFS
Drive D: | 97.56 Gb Total Space | 85.58 Gb Free Space | 87.72% Space Free | Partition Type: NTFS
Unable to calculate disk information.
F: Drive not present or media not loaded
Drive G: | 465.76 Gb Total Space | 14.21 Gb Free Space | 3.05% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CGAW
Current User Name: admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{139D3AA1-B653-477B-9FF8-79CBBD471F77}" = Symantec AntiVirus Win64
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Webroot AntiVirus with Spy Sweeper
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"ENTERPRISE" = Microsoft Office Enterprise 2007
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/24/2010 3:24:52 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Suspicious.MH690 in File: C:\Users\admin\AppData\Local\Temp\Temp2_WebCopier_v3.0.zip\WebCopier3_crack.exe
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 3/24/2010 3:24:52 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Suspicious.MH690 in File: C:\Users\admin\AppData\Local\Temp\Temp2_WebCopier_v3.0.zip\WebCopier3_crack.exe
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 3/24/2010 3:24:54 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Suspicious.MH690 in File: C:\Users\admin\AppData\Local\Temp\Temp2_WebCopier_v3.0.zip\WebCopier3_crack.exe
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 3/24/2010 9:30:29 AM | Computer Name = cgaw | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 3/24/2010 6:25:41 PM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/24/2010 8:40:37 PM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:26:54 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:31:01 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:36:09 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:37:15 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



[ System Events ]
Error - 3/23/2010 6:57:01 PM | Computer Name = cgaw | Source = DCOM | ID = 10005
Description =

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:11 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:58:59 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 8:44:43 PM | Computer Name = cgaw | Source = Microsoft-Windows-DNS-Client | ID = 1012
Description = There was an error while attempting to read the local hosts file.


< End of report >


#7 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 25 March 2010 - 06:35 AM

Here is the extra.txt you asked for. Sorry for not already providing it.\

Already have malewarebytes installed but it shows nothing. I also did as you indicated below regarding the install as it seemed logical at the time.

OTL Extras logfile created on: 3/25/2010 6:40:05 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\admin\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 46.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 833.85 Gb Total Space | 815.68 Gb Free Space | 97.82% Space Free | Partition Type: NTFS
Drive D: | 97.56 Gb Total Space | 85.58 Gb Free Space | 87.72% Space Free | Partition Type: NTFS
Unable to calculate disk information.
F: Drive not present or media not loaded
Drive G: | 465.76 Gb Total Space | 14.21 Gb Free Space | 3.05% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CGAW
Current User Name: admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{139D3AA1-B653-477B-9FF8-79CBBD471F77}" = Symantec AntiVirus Win64
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Webroot AntiVirus with Spy Sweeper
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"ENTERPRISE" = Microsoft Office Enterprise 2007
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/24/2010 3:24:52 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Suspicious.MH690 in File: C:\Users\admin\AppData\Local\Temp\Temp2_WebCopier_v3.0.zip\WebCopier3_crack.exe
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 3/24/2010 3:24:52 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Suspicious.MH690 in File: C:\Users\admin\AppData\Local\Temp\Temp2_WebCopier_v3.0.zip\WebCopier3_crack.exe
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 3/24/2010 3:24:54 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Suspicious.MH690 in File: C:\Users\admin\AppData\Local\Temp\Temp2_WebCopier_v3.0.zip\WebCopier3_crack.exe
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 3/24/2010 9:30:29 AM | Computer Name = cgaw | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 3/24/2010 6:25:41 PM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/24/2010 8:40:37 PM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:26:54 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:31:01 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:36:09 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



Error - 3/25/2010 2:37:15 AM | Computer Name = cgaw | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Infostealer.Lineage in File: >>Default.SFX by: Manual scan.
Action: Clean failed : Delete failed. Action Description: The file was left unchanged.



[ System Events ]
Error - 3/23/2010 6:57:01 PM | Computer Name = cgaw | Source = DCOM | ID = 10005
Description =

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:02 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:57:11 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 6:58:59 PM | Computer Name = cgaw | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/23/2010 8:44:43 PM | Computer Name = cgaw | Source = Microsoft-Windows-DNS-Client | ID = 1012
Description = There was an error while attempting to read the local hosts file.


< End of report >


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:08 AM

Posted 25 March 2010 - 12:16 PM

Hello, things look quite good to me. Please let me know what issues you are still having.

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Webroot or Symantec.


OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 25 March 2010 - 05:45 PM

Hello,
I have run the OTL fix as requested. Here is the log.

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.

OTL by OldTimer - Version 3.1.37.3 log created on 03262010_091931

The origional infection was a rootkit virus and did take control of the system which at the time was XP. I took some pretty drastic action including buying new drives and installing windows 7 and taking the other raid storage disks off line. The G drive below was one of the storage drives. I disabled autoplay after the new system was built and mounted G drive to start cleaning it. I then somehow got the main system infected agin though it seems to be clear now. I still have one of the raid drives offline that has critical data on it.
What is the safest way to bring it online and clean it so I can back up that data before reformating?
Also, I note in the logs below tghere are a number of entries like
"Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Are these safe to delete?

My big concern is that the last drive that is still offline was infected with a rootkit virus (and probably still is) and I don't want it to infect the apparently clean current system but still need to back up the data. I can mount it either as raid or usb external if there is a preferense.
It is also worth noting that I can take 1 of the mirrored main system drives offline before doing it so there would be a fallback position if the worst does happen.

And my final question (I do go on a bit don't I ;-) is
As symantec and spybot search and destroy let this origional rootkit virus in probably via internet explorer7 and were both completely disabled in the first 2 minutes and Webroot are absolutely useless (it missed the virus and also their support in non existant so I uninstalled it) what virus scanner / firewall do you recomend that actually works with windows 7? (Symantec 2010 corporate is 64 bit and works but not truely compatable).
I don't know if it is relavent but malewarebytes was unable to see the infostealer virus in a self exploding zip file where the virus was stored 5 layer deep in compression. Symantec could see it but could not clean it or tell me where it was. I found it the hard way in the end.

Many thanks again,

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:08 AM

Posted 26 March 2010 - 04:47 AM

QUOTE
Also, I note in the logs below tghere are a number of entries like
"Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Are these safe to delete?
No, please do not delete those, unless you wish to mess up your file associations ohmy.gif

QUOTE
And my final question (I do go on a bit don't I ;-) is
As symantec and spybot search and destroy let this origional rootkit virus in probably via internet explorer7 and were both completely disabled in the first 2 minutes and Webroot are absolutely useless (it missed the virus and also their support in non existant so I uninstalled it) what virus scanner / firewall do you recomend that actually works with windows 7? (Symantec 2010 corporate is 64 bit and works but not truely compatable).
I usually recommend Avast, Avira Antivir or Microsoft Security Essentials. All three are free and have good detection rates.
But keep in mind that the latest malware constantly develops techniques to bypass existing security applications. Best is to avoid getting infected in the first place.
As for the archive bomb you mentioned. Always a good idea NOT to extract stuff you do not trust/know (i.e. from doubtful sources).

QUOTE
My big concern is that the last drive that is still offline was infected with a rootkit virus (and probably still is) and I don't want it to infect the apparently clean current system but still need to back up the data. I can mount it either as raid or usb external if there is a preferense.
Do you know what rootkit this was?
Best is to use USB and to use Flash_Disinfector, this will turn off autorun and clean any found infections that are known to spread to other drives. You still have to scan it (you can do it for example with an MBAM full scan).

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 26 March 2010 - 08:14 PM

Hi I believe the infection was a variant of the hactool.rootkit virus.
I will follow you other instructions and unless you tell me otherwise in 12 hours I will commence raid isolation in case the worst happens and mount the remaining storage via USB using flash disenfector.
Do you have a firewall recomendation?
Oh and just a side note for anyone that ever reads this post Elise still rocks and having a mirrored raid system give you so many more options when fighting something like this.

Many thanks again in advance.


#12 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 26 March 2010 - 09:38 PM

Hi Elise,
Further to the above. I just ran Flash disenfector and got the following. Symantex pick up multiple infections. I assume a false positive? please see attached screenpop.

Thanks again

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:08 AM

Posted 27 March 2010 - 04:40 AM

I don't like the look of that. That definitely looks like a thread, and not a false-positive to me.

To make sure things are not getting re-infected, I would like to have a deeper scan. Since this is a 64 bit system, we don't have as many options as with normal x86 systems. Thats why I would like to see a scan from a PE environment.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 borg2020

borg2020
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 27 March 2010 - 11:42 PM

Hi Elise, I am doing that now hould have an answer soon.
Thanks.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:08 AM

Posted 28 March 2010 - 02:36 AM

Okay, I'll wait for that smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users