Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unprompted Reboot After Freeze


  • This topic is locked This topic is locked
17 replies to this topic

#1 Commie

Commie

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 25 March 2010 - 10:43 PM

Hello,

I ran en executable and saw no feedback of it running. An hour or so later, my computer froze and rebooted on its own. Not sure if it is malware related but I want to check just in case.

Thanks,
Commie

Attachments

Attached Files



BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 29 March 2010 - 09:03 PM

Hey Commie,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 30 March 2010 - 09:14 AM

Hey Commie,

From your log(s), you do not seem to have an active anti-virus resident protection running. This is extremely dangerous as your computer is vunerable to all kinds of infections. Before we go on to clean up your computer, please go to the following links provided below, download and install ONE of the anti-virus protection.

Avira Antivir (recommended)
Avast! Home Edition
AVG 9 Free

I don't see much in your log, let's run some scans to diagnose your computer first. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Your installed anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

2) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)
RootRepeal.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 30 March 2010 - 01:30 PM

Ltangelic,

I have installed your recommended anti-virus software and attempted to run both scans following your instructions. OST ran without any problems but I received errors when trying to run RootRepeal. Is it possible RootRepeal does not run under Windows 7? The error log seemed to say I was running Vista SP0 which is not the case. I tried running it in compatibility mode as well but that resulted in more program errors.

I have attached the OST log and the RootRepeal error logs.

RootRepealError is from the immediate running of the program and RootRepeal_crash is after selecting all the scan options and requesting a scan.

Attached Files



#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 31 March 2010 - 04:20 AM

Hey Commie,

Since RootRepeal cannot run, we'll try a different scanner. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avira anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run Malwarebytes Anti-Malware
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

2) Run TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3) Run GMER

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Next reply (please include in your post):

New OTS log (re-run OTS with quick scan)
MBAM scan log
GMER.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 31 March 2010 - 01:08 PM

Ltangelic,

Here are the scans requested. TFC created a couple desktop.ini files on the desktop after the reboot. Anything specific I should do with these?

Attached Files



#7 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 01 April 2010 - 04:07 AM

Hi Commie,

Please do the following:

Please run the MGA Diagnostic Tool and post back the report it shall produce:
  1. Download MGADiag to your desktop.
  2. Double-click on MGADiag.exe to launch the program
  3. Click "Continue"
  4. Ensure that the "Windows" tab is selected (it should be by default).
  5. Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  6. Paste the MGA Diagnostic Report back here in your next reply.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#8 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 01 April 2010 - 04:23 AM

Ltangelic,

Here is the report you requested.

Diagnostic Report (1.9.0019.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-HC48X-6YCKJ-K36TH
Windows Product Key Hash: yjxn+f50LLvfLJzp4OpHDGm+NoA=
Windows Product ID: 00371-153-0498077-85879
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7600.2.00010100.0.0.048
ID: {2D2EF1F4-008C-4DA3-B739-AC880F6DE7CE}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7600.win7_gdr.091207-1941
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[hr = 0x80070002]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[hr = 0x80070002]
File Mismatch: C:\Windows\system32\wat\watux.exe[hr = 0x80070002]
File Mismatch: C:\Windows\system32\wat\watweb.dll[hr = 0x80070002]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{2D2EF1F4-008C-4DA3-B739-AC880F6DE7CE}</UGUID><Version>1.9.0019.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-K36TH</PKey><PID>00371-153-0498077-85879</PID><PIDType>5</PIDType><SID>S-1-5-21-1538595367-1183330850-3100859344</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0604 </Version><SMBIOSVersion major="2" minor="5"/><Date>20100304000000.000000+000</Date></BIOS><HWID>A8BA3607018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>5D65FE14D58F586</Val><Hash>BAoDbPc0n8rFHidSDI0n88MWyd0=</Hash><Pid>89388-707-0270147-65625</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7600.16385

Name: Windows® 7, Professional edition
Description: Windows Operating System - Windows® 7, RETAIL channel
Activation ID: e838d943-63ed-4a0b-9fb1-47152908acc9
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00170-153-049807-01-1033-7600.0000-0042010
Installation ID: 020405670995496066465263434172026105592730769792167871
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: K36TH
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 4/1/2010 05:21:07

Windows Activation Technologies-->
HrOffline: N/A
HrOnline: N/A
HealthStatus: N/A
Event Time Stamp: N/A
WAT Activex: Not Registered - 0x80040154
WAT Admin Service: Not Registered - 0x80040154

HWID Data-->
HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GEKYgx34ms4mBAzVPJKDKjAYj3O7jxpvppA6Q==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC 030410 APIC1635
FACP 030410 FACP1635
HPET 030410 OEMHPET
MCFG 030410 OEMMCFG
OEMB 030410 OEMB1635
SSDT A M I POWERNOW




#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 01 April 2010 - 05:21 AM

Hey Commie,

Thank you for posting the log, I don't see major problems in your log. Let's run some scans. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Avira anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Optional Removals

From your log, you seem to have uTorrent installed.

uTorrent is not malware, but it is a peer-to-peer (P2P) software that allows you to share files with other computers. While it is not harmful in itself, it can bring about unnecessary security risks to your computer. It is highly recommended that you remove it and refrain from using such software in the future. Please look at the article(s) below:

http://www.microsoft.com/protect/data/down...ilesharing.aspx

Please go to Add or Remove Programs and remove the following (if present):

uTorrent

Then use Windows Explorer and remove the following (if present):

C:\Program Files\uTorrent

Reboot your computer.

2) Run Kaspersky Webscanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
  • Click the "Download JRE" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

    THEN

    Please do an online scan with Kaspersky WebScanner

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Next reply (please include in your post):

OTS (Re-run OTS with quick scan)
Kaspersky scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 01 April 2010 - 01:11 PM

Ltangelic,

Unfortunately I could not complete the Kaspersky scan in time before having to leave. I have a long weekend off from school and will not have my computer during that time. I should be back within 4 or 5 days. I appreciate all your help up until this point and will be sure to post the next logs upon my return.

#11 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 02 April 2010 - 07:36 AM

Hi,

No worries, thank you for informing me about your departure. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#12 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:43 PM

Posted 06 April 2010 - 09:17 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:43 AM

Posted 06 April 2010 - 11:07 AM

Hello, Commie
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

I will review the topic now, in the meantime, please tell me how the system is running and run this tool:

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 Commie

Commie
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 06 April 2010 - 10:50 PM

Hello schrauber,

Everything seems to be running fine now. I haven't had any issues beyond the one reboot and I'm beginning to think it was just a hiccup.

The OTL scanner only produced one log, the open one, and I saw nothing minimized or saved for the second log. Not sure why that is but here is the log that came up.


OTL logfile created on: 4/6/2010 23:43:35 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\Kyle\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 190.01 Gb Free Space | 40.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 609.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 295.22 Gb Total Space | 30.14 Gb Free Space | 10.21% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COM3
Current User Name: Kyle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 23:43:15 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle\Desktop\OTL.exe
PRC - [2010/04/01 15:47:23 | 000,121,520 | ---- | M] (dotSyntax, LLC) -- C:\Program Files\Digsby\lib\digsby-app.exe
PRC - [2010/03/23 18:24:03 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/10 09:44:58 | 000,926,720 | ---- | M] (IVT Corporation) -- C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
PRC - [2010/03/09 16:57:36 | 000,143,467 | ---- | M] (IVT Corporation) -- C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
PRC - [2010/03/08 14:16:48 | 000,319,574 | ---- | M] (IVT Corporation) -- C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
PRC - [2010/03/08 14:14:42 | 000,102,503 | ---- | M] (IVT Corporation) -- C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
PRC - [2010/03/03 00:12:32 | 000,372,736 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010/03/03 00:11:58 | 000,172,032 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/03/02 10:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/02/19 01:39:53 | 001,682,944 | ---- | M] (Curse) -- C:\Users\Kyle\AppData\Local\Apps\2.0\6WKNKWCJ.74O\BT8C630L.X0N\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
PRC - [2010/02/16 19:23:20 | 000,095,232 | ---- | M] () -- C:\Program Files\Pandora\Pandora\Pandora.exe
PRC - [2010/01/26 14:46:14 | 000,939,272 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
PRC - [2010/01/26 14:46:14 | 000,066,824 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2010/01/07 16:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/01/07 15:38:08 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/22 15:57:50 | 000,163,840 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\razerhid.exe
PRC - [2009/08/28 18:43:14 | 001,486,848 | R--- | M] (VIA) -- C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 21:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/07/13 21:14:12 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/03/11 16:13:08 | 000,788,332 | ---- | M] () -- C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
PRC - [2007/12/19 11:58:24 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\DeathAdder\razerofa.exe
PRC - [2007/01/11 05:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
PRC - [2006/11/24 15:24:16 | 000,143,360 | ---- | M] () -- C:\Program Files\Razer\DeathAdder\razertra.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 23:43:15 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle\Desktop\OTL.exe
MOD - [2009/07/13 21:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 21:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 21:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 21:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 21:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 21:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 21:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 21:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 21:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 21:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/10 09:44:58 | 000,926,720 | ---- | M] (IVT Corporation) [Auto | Running] -- C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe -- (BlueSoleilCS)
SRV - [2010/03/09 16:57:36 | 000,143,467 | ---- | M] (IVT Corporation) [Auto | Running] -- C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe -- (BsMobileCS)
SRV - [2010/03/08 14:14:42 | 000,102,503 | ---- | M] (IVT Corporation) [On_Demand | Running] -- C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe -- (BsHelpCS)
SRV - [2010/03/03 00:11:58 | 000,172,032 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/01/26 14:46:16 | 001,033,480 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe -- (PDEngine)
SRV - [2010/01/26 14:46:14 | 000,939,272 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe -- (PDAgent)
SRV - [2010/01/20 03:47:07 | 000,326,792 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/01/07 16:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/01/07 15:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 15:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/12/11 19:47:44 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2009/07/16 16:43:18 | 001,803,592 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/07/16 16:43:18 | 000,320,840 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/07/13 21:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 21:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 21:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 21:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 21:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 21:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 21:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 21:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 21:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 21:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 21:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 21:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 21:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 21:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 21:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 21:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/09/08 07:59:00 | 000,575,488 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/08/29 16:20:56 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2007/01/11 05:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E 91 8F 07 DC 9B CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}:0.4.5
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/23 18:24:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/23 18:24:03 | 000,000,000 | ---D | M]

[2010/01/05 01:30:04 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\Mozilla\Extensions
[2010/04/06 23:13:01 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\uujp9eph.default\extensions
[2010/02/10 16:12:29 | 000,000,000 | ---D | M] (Google Redesigned) -- C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\uujp9eph.default\extensions\{cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}
[2010/01/07 14:42:14 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\uujp9eph.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/03/27 02:36:52 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\uujp9eph.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/04/01 06:45:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/14 07:46:21 | 000,373,541 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 12871 more lines...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BtTray] C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe (IVT Corporation)
O4 - HKLM..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe ()
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O4 - Startup: C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pandora.lnk = C:\Program Files\Pandora\Pandora\Pandora.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 4.0.0.53 198.22.176.10 209.244.0.53 208.67.222.222
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\System32\skype4com.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2003/08/11 18:57:38 | 000,000,209 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{6ebc8648-127e-11df-85aa-005056c00008}\Shell - "" = AutoRun
O33 - MountPoints2\{6ebc8648-127e-11df-85aa-005056c00008}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AutoRunCD.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O34 - HKLM BootExecute: (PDBoot.exe) - C:\Windows\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 22:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/06 23:43:14 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Users\Kyle\Desktop\OTL.exe
[2010/04/06 23:13:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games
[2010/04/06 22:58:49 | 000,073,728 | ---- | C] (Razer Inc.) -- C:\Windows\System32\DeathAdder.cpl
[2010/04/06 22:58:28 | 000,000,000 | ---D | C] -- C:\Users\Kyle\AppData\Roaming\InstallShield
[2010/04/01 06:45:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/01 06:45:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/04/01 06:45:14 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/04/01 06:41:01 | 000,000,000 | ---D | C] -- C:\Users\Kyle\.SunDownloadManager
[2010/04/01 05:21:25 | 000,000,000 | ---D | C] -- C:\MGADiagToolOutput
[2010/03/31 15:47:43 | 000,000,000 | ---D | C] -- C:\Windows\AsDmiHtm
[2010/03/31 15:39:46 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010/03/31 15:34:49 | 000,000,000 | ---D | C] -- C:\ATI
[2010/03/31 13:42:08 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Kyle\Desktop\TFC.exe
[2010/03/30 14:06:18 | 000,637,440 | ---- | C] (OldTimer Tools) -- C:\Users\Kyle\Desktop\OTS.exe
[2010/03/30 14:04:08 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010/03/30 14:04:07 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/03/30 14:04:07 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/03/30 14:04:07 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
[2010/03/30 14:04:07 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
[2010/03/30 14:04:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/03/30 14:04:07 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/03/29 08:18:54 | 000,000,000 | ---D | C] -- C:\Users\Kyle\Documents\Bluetooth
[2010/03/29 08:04:51 | 000,000,000 | ---D | C] -- C:\Users\Kyle\AppData\Local\bluesoleil
[2010/03/28 15:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\IVT Corporation
[2010/03/28 15:03:40 | 000,090,624 | ---- | C] (Nokia) -- C:\Windows\System32\nmwcdcls.dll
[2010/03/28 15:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010/03/28 15:03:38 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/03/28 15:03:37 | 000,018,816 | ---- | C] (Nokia) -- C:\Windows\System32\drivers\pccsmcfd.sys
[2010/03/28 15:03:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010/03/28 15:03:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Installations
[2010/03/25 20:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\Activision
[2010/01/05 01:44:48 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Kyle\AppData\Roaming\pcouffin.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/06 23:43:45 | 005,767,168 | -HS- | M] () -- C:\Users\Kyle\NTUSER.DAT
[2010/04/06 23:43:15 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle\Desktop\OTL.exe
[2010/04/06 23:14:40 | 000,002,028 | ---- | M] () -- C:\Users\Public\Desktop\Halo.lnk
[2010/04/06 23:07:24 | 000,020,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/06 23:07:24 | 000,020,304 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/06 23:04:34 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/06 23:04:34 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/06 23:04:34 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/06 23:00:13 | 000,001,204 | ---- | M] () -- C:\Windows\System32\bscs.ini
[2010/04/06 23:00:12 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/06 23:00:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/06 23:00:07 | 2616,594,432 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/06 22:59:24 | 003,138,359 | -H-- | M] () -- C:\Users\Kyle\AppData\Local\IconCache.db
[2010/04/06 22:44:47 | 000,524,288 | -HS- | M] () -- C:\Users\Kyle\NTUSER.DAT{184f9d0c-41ef-11df-ba06-90e6bacd2bb2}.TMContainer00000000000000000002.regtrans-ms
[2010/04/06 22:44:47 | 000,524,288 | -HS- | M] () -- C:\Users\Kyle\NTUSER.DAT{184f9d0c-41ef-11df-ba06-90e6bacd2bb2}.TMContainer00000000000000000001.regtrans-ms
[2010/04/06 22:44:47 | 000,065,536 | -HS- | M] () -- C:\Users\Kyle\NTUSER.DAT{184f9d0c-41ef-11df-ba06-90e6bacd2bb2}.TM.blf
[2010/03/31 15:46:07 | 000,001,769 | ---- | M] () -- C:\Windows\Language_trs.ini
[2010/03/31 15:45:07 | 000,033,643 | ---- | M] () -- C:\Windows\Ascd_tmp.ini
[2010/03/31 14:41:32 | 000,057,053 | ---- | M] () -- C:\Users\Kyle\.ems.cfg
[2010/03/31 14:38:27 | 000,004,378 | ---- | M] () -- C:\Users\Kyle\client.ovpn
[2010/03/31 14:38:19 | 000,002,818 | ---- | M] () -- C:\Users\Kyle\ca.crt
[2010/03/31 14:38:19 | 000,001,419 | ---- | M] () -- C:\Users\Kyle\server.crt
[2010/03/31 14:38:19 | 000,001,419 | ---- | M] () -- C:\Users\Kyle\client.crt
[2010/03/31 14:38:19 | 000,000,887 | ---- | M] () -- C:\Users\Kyle\client.key
[2010/03/31 13:42:09 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle\Desktop\TFC.exe
[2010/03/30 14:06:19 | 000,637,440 | ---- | M] (OldTimer Tools) -- C:\Users\Kyle\Desktop\OTS.exe
[2010/03/30 14:04:13 | 000,002,027 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/03/29 08:23:22 | 000,000,123 | ---- | M] () -- C:\Windows\System32\REMOTEDEVICE.INI
[2010/03/29 08:23:11 | 000,001,680 | ---- | M] () -- C:\Windows\System32\SHORTCUT.INI
[2010/03/29 08:18:54 | 000,006,504 | ---- | M] () -- C:\Windows\System32\LOCALSERVICE.INI
[2010/03/29 08:18:54 | 000,000,096 | ---- | M] () -- C:\Windows\System32\LOCALDEVICE.INI
[2010/03/28 15:04:51 | 000,000,032 | ---- | M] () -- C:\Windows\0
[2010/03/28 15:04:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\BSPRINT.INI
[2010/03/28 15:04:08 | 000,002,000 | ---- | M] () -- C:\Users\Public\Desktop\Bluetooth Places.lnk
[2010/03/28 15:03:58 | 000,000,000 | ---- | M] () -- C:\Windows\System32\0
[2010/03/26 21:06:55 | 000,036,640 | ---- | M] () -- C:\Users\Kyle\Documents\03.26.2010.pcr
[2010/03/26 14:08:05 | 000,000,980 | ---- | M] () -- C:\Users\Kyle\Desktop\SocksCap V2.lnk
[2010/03/25 23:18:46 | 000,000,020 | ---- | M] () -- C:\Users\Kyle\defogger_reenable
[2010/03/25 20:55:09 | 000,001,162 | ---- | M] () -- C:\Users\Public\Desktop\Call of Duty Modern Warfare 2 SP.lnk
[2010/03/25 20:55:09 | 000,001,162 | ---- | M] () -- C:\Users\Public\Desktop\Call of Duty Modern Warfare 2 MP.lnk
[2010/03/24 20:55:20 | 000,001,173 | ---- | M] () -- C:\Users\Kyle\AppData\Roaming\vso_ts_preview.xml
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/06 23:14:40 | 000,002,028 | ---- | C] () -- C:\Users\Public\Desktop\Halo.lnk
[2010/04/06 22:42:07 | 000,524,288 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{184f9d0c-41ef-11df-ba06-90e6bacd2bb2}.TMContainer00000000000000000002.regtrans-ms
[2010/04/06 22:42:07 | 000,524,288 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{184f9d0c-41ef-11df-ba06-90e6bacd2bb2}.TMContainer00000000000000000001.regtrans-ms
[2010/04/06 22:42:07 | 000,065,536 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{184f9d0c-41ef-11df-ba06-90e6bacd2bb2}.TM.blf
[2010/03/30 14:04:13 | 000,002,027 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/03/29 08:22:21 | 000,001,680 | ---- | C] () -- C:\Windows\System32\SHORTCUT.INI
[2010/03/29 08:21:36 | 000,000,123 | ---- | C] () -- C:\Windows\System32\REMOTEDEVICE.INI
[2010/03/29 08:18:54 | 000,006,504 | ---- | C] () -- C:\Windows\System32\LOCALSERVICE.INI
[2010/03/29 08:18:53 | 000,000,096 | ---- | C] () -- C:\Windows\System32\LOCALDEVICE.INI
[2010/03/28 15:04:47 | 000,000,000 | ---- | C] () -- C:\Windows\System32\BSPRINT.INI
[2010/03/28 15:04:08 | 000,002,000 | ---- | C] () -- C:\Users\Public\Desktop\Bluetooth Places.lnk
[2010/03/28 15:03:58 | 000,000,032 | ---- | C] () -- C:\Windows\0
[2010/03/28 15:03:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\0
[2010/03/26 21:06:55 | 000,036,640 | ---- | C] () -- C:\Users\Kyle\Documents\03.26.2010.pcr
[2010/03/26 14:08:53 | 000,004,378 | ---- | C] () -- C:\Users\Kyle\client.ovpn
[2010/03/26 14:08:53 | 000,002,818 | ---- | C] () -- C:\Users\Kyle\ca.crt
[2010/03/26 14:08:53 | 000,001,419 | ---- | C] () -- C:\Users\Kyle\server.crt
[2010/03/26 14:08:53 | 000,001,419 | ---- | C] () -- C:\Users\Kyle\client.crt
[2010/03/26 14:08:53 | 000,000,887 | ---- | C] () -- C:\Users\Kyle\client.key
[2010/03/26 14:08:05 | 000,000,980 | ---- | C] () -- C:\Users\Kyle\Desktop\SocksCap V2.lnk
[2010/03/25 23:20:50 | 000,293,376 | ---- | C] () -- C:\Users\Kyle\Desktop\gmer.exe
[2010/03/25 23:18:35 | 000,000,020 | ---- | C] () -- C:\Users\Kyle\defogger_reenable
[2010/03/25 20:55:09 | 000,001,162 | ---- | C] () -- C:\Users\Public\Desktop\Call of Duty Modern Warfare 2 SP.lnk
[2010/03/25 20:55:09 | 000,001,162 | ---- | C] () -- C:\Users\Public\Desktop\Call of Duty Modern Warfare 2 MP.lnk
[2010/03/23 20:40:29 | 000,057,053 | ---- | C] () -- C:\Users\Kyle\.ems.cfg
[2010/03/10 09:45:02 | 000,001,204 | ---- | C] () -- C:\Windows\System32\bscs.ini
[2010/03/08 14:13:10 | 000,028,672 | ---- | C] () -- C:\Windows\System32\BsMobileCSps.dll
[2010/02/16 17:39:54 | 000,084,482 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\icarus-dxdiag.xml
[2010/02/09 12:32:51 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/01/22 12:24:38 | 000,004,767 | ---- | C] () -- C:\Windows\Irremote.ini
[2010/01/22 10:04:30 | 000,081,920 | ---- | C] () -- C:\Windows\System32\BsVistaCommon.dll
[2010/01/20 14:56:32 | 000,524,288 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{7415dbb5-05f5-11df-aa63-0021917edcf1}.TMContainer00000000000000000002.regtrans-ms
[2010/01/20 14:56:32 | 000,524,288 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{7415dbb5-05f5-11df-aa63-0021917edcf1}.TMContainer00000000000000000001.regtrans-ms
[2010/01/20 14:56:31 | 000,065,536 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{7415dbb5-05f5-11df-aa63-0021917edcf1}.TM.blf
[2010/01/11 11:49:55 | 000,004,608 | ---- | C] () -- C:\Users\Kyle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/10 19:30:10 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/01/06 11:37:46 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/01/06 11:37:31 | 000,022,328 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\PnkBstrK.sys
[2010/01/05 03:20:49 | 000,000,017 | ---- | C] () -- C:\Users\Kyle\AppData\Local\resmon.resmoncfg
[2010/01/05 02:36:10 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/05 02:32:47 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/01/05 01:45:45 | 000,001,173 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\vso_ts_preview.xml
[2010/01/05 01:45:18 | 000,000,034 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\pcouffin.log
[2010/01/05 01:44:48 | 000,087,608 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\inst.exe
[2010/01/05 01:44:48 | 000,007,887 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\pcouffin.cat
[2010/01/05 01:44:48 | 000,001,144 | ---- | C] () -- C:\Users\Kyle\AppData\Roaming\pcouffin.inf
[2010/01/05 01:21:49 | 000,024,576 | R--- | C] () -- C:\Windows\System32\AsIO.dll
[2010/01/05 01:21:49 | 000,012,400 | R--- | C] () -- C:\Windows\System32\drivers\AsIO.sys
[2010/01/05 01:21:46 | 000,011,832 | ---- | C] () -- C:\Windows\System32\drivers\AsInsHelp64.sys
[2010/01/05 01:21:46 | 000,010,216 | ---- | C] () -- C:\Windows\System32\drivers\AsInsHelp32.sys
[2010/01/05 01:17:24 | 000,001,769 | ---- | C] () -- C:\Windows\Language_trs.ini
[2010/01/05 01:17:21 | 000,033,643 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/01/05 00:43:56 | 005,767,168 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT
[2010/01/05 00:43:56 | 000,524,288 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/01/05 00:43:56 | 000,524,288 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/01/05 00:43:56 | 000,262,144 | -HS- | C] () -- C:\Users\Kyle\ntuser.dat.LOG1
[2010/01/05 00:43:56 | 000,065,536 | -HS- | C] () -- C:\Users\Kyle\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/01/05 00:43:56 | 000,000,020 | -HS- | C] () -- C:\Users\Kyle\ntuser.ini
[2010/01/05 00:43:56 | 000,000,000 | -HS- | C] () -- C:\Users\Kyle\ntuser.dat.LOG2
[2009/12/03 10:27:28 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/09/24 13:41:06 | 000,029,192 | ---- | C] () -- C:\Windows\System32\drivers\btnetBus.sys
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/15 23:36:30 | 000,013,216 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/05 22:48:02 | 000,011,448 | R--- | C] () -- C:\Windows\System32\drivers\AsUpIO.sys
[2009/04/02 08:30:14 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

========== LOP Check ==========

[2010/02/16 19:23:39 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
[2010/01/27 19:22:19 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\Command & Conquer 3 Tiberium Wars
[2010/01/05 01:50:33 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\DAEMON Tools
[2010/01/10 19:30:08 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\iolo
[2010/01/20 14:56:53 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\Razer
[2010/03/23 20:27:29 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\uTorrent
[2010/03/24 20:55:20 | 000,000,000 | ---D | M] -- C:\Users\Kyle\AppData\Roaming\Vso
[2009/07/14 00:53:46 | 000,026,094 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/13 21:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/13 21:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 21:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 21:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 21:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 21:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 21:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 21:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 21:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 21:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 21:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 21:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 21:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 21:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 21:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/03 00:13:04 | 000,446,464 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\Windows\System32\ATIDEMGX.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< End of report >


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:43 AM

Posted 08 April 2010 - 01:57 PM

Looks good to me , just run another onlinescan to be sure.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt



Please open OTL, set the extra registry tab to use safe list and hit the run scan button, post back with the 2 logfiles.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users