Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Kryptik.exe Trojan


  • This topic is locked This topic is locked
39 replies to this topic

#1 sherriec09

sherriec09

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 02 April 2010 - 01:01 PM

NOTE: COMP WON'T LET ME 'SEND' FULL DDS FILE. TROJAN SEEMS TO INTERFERE WITH ANYTHING TO DO WITH LOGS. I HAVE ATTACHED BOTH FILES REQUESTED AND PASTED A FULL COPY OF THE DDS FILE, BUT IT WON'T SHOW UP AND SAYS PAGE CANNOT BE FOUND WHEN I TRY TO SUBMIT. THEN IT GIVES ME DUPLICATES OF THE SAME TOPIC. HELP!

I am infected with the Kryptik trojan. It pops up in my eset antivirus logs, but never deletes. I have tried PCTools Spyware Dr. (which google recommended) I ran it 3 times and it never caught this trojan. I have run Eset, Malwarebytes, Super AntiSpyware, and one other program to no avail. I tried the Manual delete instructions, but could not find the files they said to delete so I gave up and came here.

My computer is dragging, freezing up, won't shut down, pop up windows for adds on my firefox browser, re-directs. I read another thread where a womans bank account was cleaned out twice before she found it, so I changed all my passwords and didn't have the computer save them. ESET keeps blocking a pop up from lenina66.com (?) which it the ad websites. I kept getting a Yahoo pop up for a survey and a Congratulations you won! webpage, and then I noticed I had a Yahoo toolbar in my add-ons so I deleted it. Didn't change the pop ups. I also deleted Java in my add ons.

Here is the DDS Log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Sherrie at 9:57:29.65 on Fri 04/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.612 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sherrie\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106517016812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247668487125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sherrie\applic~1\mozilla\firefox\profiles\e8qshflm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\sherrie\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\sherrie\local settings\application data\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-1 217032]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-1 112592]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-8-8 10384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 FlexService;Remote Connections Service;"c:\program files\rapidbit\cisvc.exe" --> c:\program files\rapidbit\cisvc.exe [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-1 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-1 1142224]

=============== Created Last 30 ================

2010-04-02 03:19:56 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-02 03:19:54 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-02 03:19:54 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-02 03:19:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-02 03:19:54 131 ----a-w- c:\windows\IDB.zip
2010-04-02 03:19:54 1152444 ----a-w- c:\windows\UDB.zip
2010-04-02 03:19:53 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-02 03:19:53 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-02 00:23:44 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-02 00:23:43 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-02 00:22:41 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-02 00:22:39 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-02 00:22:39 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-02 00:22:36 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-02 00:21:06 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-02 00:21:04 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-02 00:19:05 0 d-----w- c:\program files\common files\PC Tools
2010-04-02 00:18:55 0 d-----w- c:\program files\Spyware Doctor
2010-04-02 00:18:55 0 d-----w- c:\docume~1\sherrie\applic~1\PC Tools
2010-04-02 00:18:55 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-01 21:12:45 0 d-----w- c:\docume~1\sherrie\applic~1\iWin
2010-04-01 21:04:06 0 d-----w- c:\program files\Mah Jong Quest II
2010-03-30 18:04:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-30 18:04:02 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-30 18:04:02 0 d-----w- c:\docume~1\sherrie\applic~1\SUPERAntiSpyware.com
2010-03-30 01:48:02 0 d-----w- c:\program files\1001 Nights The Adventures of Sindbad
2010-03-29 03:36:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Nevosoft
2010-03-29 03:33:59 0 d-----w- c:\program files\Escape From Lost Island
2010-03-28 04:49:36 0 d-----w- c:\docume~1\sherrie\applic~1\SprillRichiEng
2010-03-28 04:46:36 0 d-----w- c:\program files\Sprill & Ritchie Adventures in Time
2010-03-24 16:55:03 3252 ----a-w- c:\windows\system32\wbem\Outlook_01cacb72bf8ef91c.mof
2010-03-22 20:10:07 766 ----a-w- c:\windows\zeusicon.ico
2010-03-22 20:00:33 766 ----a-w- c:\windows\attwns.ico
2010-03-22 20:00:16 4398 ----a-w- c:\windows\caesar3.ico
2010-03-22 19:57:44 0 d-----w- C:\SIERRA
2010-03-22 19:57:44 0 d-----w- c:\program files\Sierra On-Line
2010-03-22 19:57:14 565 ----a-w- c:\windows\SIERRA.INI
2010-03-12 04:06:45 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-03-11 23:23:43 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 01:03:27 6424 --sha-w- c:\windows\system32\KGyGaAvL.sys
2004-07-22 17:51:34 3432656 ----a-w- c:\program files\ManagedDX.CAB
2004-07-20 05:58:36 1156363 ----a-w- c:\program files\BDANT.cab
2004-07-20 05:53:26 976020 ----a-w- c:\program files\BDAXP.cab
2004-07-09 21:17:16 13265040 ----a-w- c:\program files\dxnt.cab
2004-07-09 16:13:48 15493481 ----a-w- c:\program files\DirectX.cab
2004-07-09 16:13:46 703080 ----a-w- c:\program files\BDA.cab
2004-07-09 11:08:36 472576 ----a-w- c:\program files\dxsetup.exe
2004-07-09 11:08:34 2242560 ----a-w- c:\program files\dsetup32.dll
2004-07-09 10:03:10 62976 ----a-w- c:\program files\DSETUP.dll
2009-12-28 23:55:06 88 --sh--r- c:\windows\system32\AD17282497.sys
2009-06-25 22:21:40 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-06-25 22:21:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009062520090626\index.dat

============= FINISH: 9:59:04.53 ===============

Attached File  Ark.txt   5.7KB   11 downloads
Attached File  Attach.txt   12.17KB   10 downloads

Note: Changed to different computer so I am trying this again.

Thanks
Sherrie

Edited by sherriec09, 02 April 2010 - 01:35 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 03 April 2010 - 09:05 AM

Hello my name is Sempai and welcome to Bleeping Computer. smile.gif

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



+++++++++++++++++++++++


1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Spyware Doctor or ESET NOD32.



2. Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (Right click on the file and choose extract all).
  • Double-Click TDSSKiller.exe to run it.
  • When it finished press any key to continue (Let reboot if needed).
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log.



3. Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan box. Do not include the word "Code"

    CODE

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.

~Semp





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 03 April 2010 - 01:29 PM

Too late. Last night ESET kept popping up with the red box that it was blocking attacks to my drivers. It was constant, one after the other, so I shut it down. Now I can't get in. I get the blue screen that says Windows has shut down to prevent damage to my computer. I get the same blue screen after I tried loading with last good configuration, Safe Mode, Safe Mode with C prompt. This is the Technical info it gives me:

****STOP:0x00000007E (0xc0000005,0xF74B67c0,0xF78A2528,0xF78A2224)
*** atapi.sys - Address F74B67C0 base at 74FA0000, DateStamp 4802539d

Can this be fixed? Can I still save my files?

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 03 April 2010 - 08:26 PM

Hi sherriec09,

QUOTE
Can this be fixed? Can I still save my files?

We always try and do our best. We treat every users computer as our own.


+++++++++++++++++++++++++++


OK this file is big. Print these instruction out so that you know what you are doing

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable.  Just install the programme, from there on in it is fairly automatic.  Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 03 April 2010 - 08:58 PM

Thank you. It will take a day or two before I can get to it. My wireless printer part is not here so I can't hook up my printer to my laptop to print the instructions until sometime tomorrow.

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 03 April 2010 - 09:10 PM

OK no problem, you can save the instructions to a notepad too.

Regards,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 April 2010 - 12:00 AM

I am on my laptop now. Can I download and burn the iso from my laptop and then boot the desktop comp (infected computer) with the bootable cd? If so, then I can just follow the directions from the laptop, copy file to a usb flashdrive and upload the logs from here.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 04 April 2010 - 12:28 AM

Hi,

Yes, that's exactly the idea here. We can't use your infected PC because of boot issue, so we need another PC to download tools thumbup2.gif

Please run flash Disinfector on your laptop (clean PC).

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 April 2010 - 01:31 AM

everything done up to bootup.:

otlpe up, however it does not ask what you said to check.

# When asked "Do you wish to load the remote registry", select Yes Didn't ask me this
# When asked "Do you wish to load remote user profile(s) for scanning", select Yes Didn't ask me this
# Ensure the box "Automatically Load All Remaining Users" is checked and press OK Did ask me this I clicked yes
# OTL should now start. Change the following settings Doesn't show this

* Change Drivers to Non-Microsoft

what is does show is this:

4 boxes:

Services: click None; Use Safelist; All
Drivers: click None; Use Safelist; All
Standard Registry: click None; Use Safelist; All
Extra Registry: click None; Use Safelist; All


More:
Output: click Standard Output or Minimal Output
File Scans: click 1 day; 7 days; 14 days; 30 days; 60 days; 90 days
Box: click Use Company Name Whitelist
Box: click Skip Microsoft Files
Box: Files Created Within: click None; File Age; All
Box: Files Modified Within: None; File Age; All
check LOP Check
check Purity Check


So, what do I check?




#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 04 April 2010 - 01:36 AM

OK, for now just click the run scan button and don't change any settings. Let's see what we can find there.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 April 2010 - 01:46 AM

Okay here it is. It was run with Use Safelist checked on all 4 boxes. file age was set at 30 days. files created within File Age. Files Modified within File Age. LOP Check and Purity Check were both checked. these were all already set when the screen came up. I didn't change anything.

OTL logfile created on: 4/4/2010 12:39:36 AM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 80.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 30.29 Gb Free Space | 40.65% Space Free | Partition Type: NTFS
Drive D: | 233.76 Gb Total Space | 48.50 Gb Free Space | 20.75% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 183.69 Gb Free Space | 78.88% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (FlexService)
SRV - [2010/03/15 15:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 15:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/01/22 12:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/09/06 16:38:06 | 000,071,096 | ---- | M] () [Auto] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2009/07/20 15:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/05/14 18:54:22 | 000,020,680 | ---- | M] (ESET) [On_Demand] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/05/14 18:47:54 | 000,731,840 | ---- | M] (ESET) [Auto] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2007/06/05 16:20:32 | 000,177,704 | ---- | M] () [Auto] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WINFLASH)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (PciCon)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/03/10 14:36:36 | 000,217,032 | ---- | M] (PC Tools) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/02/17 14:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 14:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/20 22:34:54 | 010,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/11/12 17:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/06/17 12:56:24 | 000,079,248 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2009/06/17 12:56:18 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 12:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 12:55:34 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2009/06/17 12:55:26 | 000,063,248 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2009/06/17 12:55:18 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2009/05/14 18:49:32 | 000,094,360 | ---- | M] (ESET) [Kernel | System] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/05/14 18:47:14 | 000,107,256 | ---- | M] (ESET) [Kernel | System] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/05/14 18:41:10 | 000,114,472 | ---- | M] (ESET) [File_System | Auto] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/03/15 06:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008/09/24 13:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/03/06 14:51:14 | 000,003,840 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2006/02/14 19:02:56 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisnicxp.sys -- (SISNICXP)
DRV - [2004/05/14 06:26:40 | 000,217,600 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2004/05/11 22:28:10 | 000,012,416 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2003/12/11 11:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/09 03:43:36 | 000,045,568 | R--- | M] (Silicon Integrated Systems) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SiSRaid.sys -- (SiSRaid)
DRV - [2003/07/17 21:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)
DRV - [2003/03/25 05:50:46 | 000,004,096 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\siside.sys -- (SiSide)
DRV - [2002/12/13 04:06:40 | 000,129,875 | R--- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mr97310c.sys -- (MR97310_USB_DUAL_CAMERA)
DRV - [2002/10/17 03:14:46 | 000,049,024 | R--- | M] (Windows ® 2000 DDK provider) [File_System | Boot] -- C:\WINDOWS\system32\drivers\sisidex.sys -- (sisidex)
DRV - [2002/08/20 05:19:08 | 000,009,472 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sisperf.sys -- (sisperf)
DRV - [2002/07/10 11:39:34 | 000,032,256 | R--- | M] (SiS Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2002/07/08 23:09:00 | 000,131,676 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)
DRV - [2002/07/08 23:08:30 | 000,065,343 | ---- | M] (PCtel, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\vvoice.sys -- (Vvoice)
DRV - [2002/07/08 23:08:06 | 000,695,981 | ---- | M] (PCTEL, INC.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\vmodem.sys -- (Vmodem)
DRV - [2002/07/08 23:07:12 | 000,546,027 | ---- | M] (PCtel, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\vpctcom.sys -- (Vpctcom)
DRV - [2001/08/17 17:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Sherrie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/06/25 16:33:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/26 12:29:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/26 12:29:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009/09/08 14:47:33 | 000,000,000 | ---D | M]

[2010/04/02 12:37:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\Sherrie_ON_C\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\Sherrie_ON_C..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe (Tonec Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Sherrie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5co...b?1106517016812 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1247668487125 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/20 19:54:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/02 19:06:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/04/02 15:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\Threat Expert
[2010/04/02 03:30:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LocalService\Favorites
[2010/04/01 23:19:54 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/04/01 23:19:53 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/04/01 23:19:53 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/04/01 21:47:29 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Sherrie\Desktop\spybotsd162.exe
[2010/04/01 20:23:43 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/04/01 20:22:39 | 000,217,032 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/04/01 20:22:36 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/04/01 20:21:04 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/04/01 20:19:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/04/01 20:18:55 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/01 20:18:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\PC Tools
[2010/04/01 20:15:30 | 036,592,824 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Sherrie\Desktop\sdasetup_aff.exe
[2010/04/01 17:12:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\iWin
[2010/04/01 17:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Mah Jong Quest II
[2010/03/30 14:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\SUPERAntiSpyware.com
[2010/03/30 14:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/29 21:48:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\Menge
[2010/03/29 21:48:02 | 000,000,000 | ---D | C] -- C:\Program Files\1001 Nights The Adventures of Sindbad
[2010/03/29 19:34:04 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
[2010/03/29 19:33:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/29 19:32:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/29 15:14:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/03/29 13:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/29 13:23:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/29 12:48:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/29 12:48:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/28 23:33:59 | 000,000,000 | ---D | C] -- C:\Program Files\Escape From Lost Island
[2010/03/28 00:49:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\SprillRichiEng
[2010/03/28 00:46:36 | 000,000,000 | ---D | C] -- C:\Program Files\Sprill & Ritchie Adventures in Time
[2010/03/22 15:57:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra On-Line
[2010/03/22 15:57:44 | 000,000,000 | ---D | C] -- C:\SIERRA
[2010/03/12 00:06:45 | 000,028,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mdimon.dll
[2010/03/11 19:23:43 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2004/07/09 07:08:36 | 000,472,576 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dxsetup.exe
[2004/07/09 07:08:34 | 002,242,560 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dsetup32.dll
[2004/07/09 06:03:10 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Program Files\DSETUP.dll
[20 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/04 00:39:37 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/04/02 19:10:50 | 002,649,574 | -H-- | M] () -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\IconCache.db
[2010/04/02 18:59:49 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:44:18 | 000,262,130 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/04/02 15:43:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/02 15:43:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/02 15:42:32 | 013,893,632 | ---- | M] () -- C:\Documents and Settings\Sherrie\NTUSER.DAT
[2010/04/02 15:42:32 | 000,233,472 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/04/02 13:02:46 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\gmer.zip
[2010/04/01 21:58:50 | 000,000,973 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Spybot - Search & Destroy.lnk
[2010/04/01 21:48:32 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Sherrie\Desktop\spybotsd162.exe
[2010/04/01 20:17:32 | 036,592,824 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Sherrie\Desktop\sdasetup_aff.exe
[2010/04/01 17:04:32 | 000,000,810 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Mah Jong Quest II.lnk
[2010/04/01 14:09:29 | 000,101,376 | ---- | M] () -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/01 00:26:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Sherrie\ntuser.ini
[2010/03/31 21:04:32 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/31 21:04:32 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/31 21:04:32 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/03/30 16:07:22 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Sherrie\My Documents\att info.doc
[2010/03/29 21:48:16 | 000,000,985 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\1001 Nights The Adventures of Sindbad.lnk
[2010/03/29 13:23:20 | 000,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/28 23:35:34 | 000,000,887 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Escape From Lost Island.lnk
[2010/03/28 00:48:18 | 000,000,926 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Sprill & Ritchie Adventures in Time.lnk
[2010/03/27 18:59:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/24 12:55:03 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/24 12:55:03 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/24 12:55:02 | 000,509,398 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 16:14:27 | 000,001,529 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Pharaoh & Cleopatra.lnk
[2010/03/22 16:10:19 | 000,000,565 | ---- | M] () -- C:\WINDOWS\SIERRA.INI
[2010/03/21 15:01:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/16 19:52:11 | 124,024,101 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\giftboutique916-2010-03-16-16-49-26.imb
[2010/03/16 19:51:29 | 001,245,071 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\giftboutique916-2010-03-16-16-49-26.tlb
[2010/03/12 00:07:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/10 14:36:36 | 000,217,032 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[20 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/02 13:04:19 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\gmer.exe
[2010/04/02 13:02:43 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\gmer.zip
[2010/04/01 23:19:56 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/04/01 23:19:54 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/04/01 23:19:54 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/04/01 23:19:54 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/04/01 23:19:54 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/04/01 21:58:50 | 000,000,973 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Spybot - Search & Destroy.lnk
[2010/04/01 20:23:44 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/04/01 20:22:41 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/04/01 20:22:39 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/04/01 20:21:06 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/04/01 17:04:32 | 000,000,810 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Mah Jong Quest II.lnk
[2010/03/30 16:07:22 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\att info.doc
[2010/03/29 21:48:16 | 000,000,985 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\1001 Nights The Adventures of Sindbad.lnk
[2010/03/28 23:35:34 | 000,000,887 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Escape From Lost Island.lnk
[2010/03/28 00:48:18 | 000,000,926 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Sprill & Ritchie Adventures in Time.lnk
[2010/03/22 16:14:27 | 000,001,529 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Pharaoh & Cleopatra.lnk
[2010/03/22 16:10:07 | 000,000,766 | ---- | C] () -- C:\WINDOWS\zeusicon.ico
[2010/03/22 16:00:33 | 000,000,766 | ---- | C] () -- C:\WINDOWS\attwns.ico
[2010/03/22 16:00:16 | 000,004,398 | ---- | C] () -- C:\WINDOWS\caesar3.ico
[2010/03/22 15:57:14 | 000,000,565 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/03/16 19:51:44 | 124,024,101 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\giftboutique916-2010-03-16-16-49-26.imb
[2010/03/16 19:51:28 | 001,245,071 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\giftboutique916-2010-03-16-16-49-26.tlb
[2009/12/28 22:04:21 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\4311B1459F.sys
[2009/10/26 00:01:08 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/10/24 15:10:16 | 000,000,116 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2009/09/08 05:35:00 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/08/27 17:38:02 | 000,000,075 | ---- | C] () -- C:\WINDOWS\APOapp.INI
[2009/08/27 17:25:51 | 000,000,037 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2009/08/27 17:20:01 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2009/08/27 17:20:01 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2009/08/07 02:38:03 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/07 02:38:02 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/08/03 04:21:54 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2009/08/03 04:21:54 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2009/08/03 04:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009/08/03 04:21:52 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2009/07/28 22:34:37 | 000,101,376 | ---- | C] () -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/28 22:34:37 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/22 16:39:51 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\AD17282497.sys
[2009/07/22 16:25:43 | 000,006,424 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/07/21 15:03:19 | 000,004,298 | ---- | C] () -- C:\Documents and Settings\Sherrie\Application Data\wklnhst.dat
[2009/07/14 21:15:00 | 000,178,432 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/07/09 00:12:15 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/06/25 16:14:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/02/14 01:31:58 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/02/14 01:31:56 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/01/26 20:08:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/23 17:33:15 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\property.dll
[2005/01/23 17:09:29 | 000,139,264 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2005/01/23 17:09:17 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/01/23 17:07:25 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2005/01/23 17:06:48 | 000,108,023 | R--- | C] () -- C:\WINDOWS\VGAsetup.ini
[2005/01/23 17:06:26 | 000,102,683 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2005/01/20 18:40:14 | 000,000,546 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/07/22 13:51:34 | 003,432,656 | ---- | C] () -- C:\Program Files\ManagedDX.CAB
[2004/07/20 01:58:36 | 001,156,363 | ---- | C] () -- C:\Program Files\BDANT.cab
[2004/07/20 01:53:26 | 000,976,020 | ---- | C] () -- C:\Program Files\BDAXP.cab
[2004/07/09 17:17:16 | 013,265,040 | ---- | C] () -- C:\Program Files\dxnt.cab
[2004/07/09 12:13:48 | 015,493,481 | ---- | C] () -- C:\Program Files\DirectX.cab
[2004/07/09 12:13:46 | 000,703,080 | ---- | C] () -- C:\Program Files\BDA.cab
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/06/29 12:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\3Stars
[2009/07/18 22:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Aisle 5 Games, Inc
[2009/09/04 05:05:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Alawar
[2010/01/11 21:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Artogon
[2009/07/20 22:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Babylonia
[2009/08/12 21:45:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Bioshock
[2009/10/16 16:03:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\blg
[2009/11/08 23:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Blitware
[2009/10/26 00:01:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Canneverbe_Limited
[2009/08/12 21:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\cerasus.media
[2009/12/31 02:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Curious Sense
[2009/10/31 01:09:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Dekovir
[2010/04/02 15:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\DMCache
[2010/01/13 03:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Dragon Altar Games
[2010/01/06 23:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\EA
[2009/10/30 02:20:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Enki Games
[2009/11/15 04:41:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\ERS G-Studio
[2009/09/09 01:05:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Flood Light Games
[2009/10/22 18:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\FlyWheelGames
[2010/01/18 19:41:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\funkitron
[2009/10/21 00:33:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\GameInvest
[2009/07/17 22:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Gamers Digital
[2009/07/30 22:33:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Games
[2009/12/31 03:51:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\GTM_Bodie
[2009/12/19 22:42:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\HdO Adventure
[2010/01/18 20:28:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\IDM
[2005/01/24 18:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\InterTrust
[2010/04/01 17:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\iWin
[2009/12/18 22:31:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\iWin_generic
[2009/12/17 00:58:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Little Games Company
[2009/12/27 17:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Marine Aquarium 3
[2010/01/19 04:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\MastersOfMystery2
[2009/11/08 02:58:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Merscom
[2010/01/05 01:30:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Millennium_Saves
[2010/01/16 22:32:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\PlayFirst
[2009/12/20 00:32:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Playrix Entertainment
[2009/09/05 02:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\PoBros
[2010/03/28 00:50:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\SprillRichiEng
[2009/08/11 02:58:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\SulusGames
[2009/11/08 23:47:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\SystemRequirementsLab
[2009/07/21 15:03:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Template
[2010/01/10 19:07:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\TheFixerUpper
[2009/06/25 18:38:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Thinstall
[2009/12/21 03:15:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\TitanicMystery
[2009/06/25 18:33:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\TuneUp Software
[2009/06/28 00:56:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Twintale Entertainment
[2009/07/21 00:05:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Ubisoft
[2009/06/27 18:04:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\UClick
[2009/08/03 16:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\V-Games
[2009/12/30 22:27:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Virtual City
[2009/08/05 21:38:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\YoudaGames
[2010/01/10 08:50:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\Tasks\Driver Robot.job

========== Purity Check ==========


< End of report >


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 04 April 2010 - 02:06 AM

Hi, thanks for the log.

++++++++++++++

Using a clean computer, open a notepad and copy-paste the entire contents of the coded text below and save it in your flash/removable drive.
CODE
:OTL
[2009/12/28 22:04:21 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\4311B1459F.sys
[2009/07/22 16:39:51 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\AD17282497.sys
[20 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Commands
[purity]
[emptytemp]
[Reboot]



Next, boot your infected computer again using OTLPE CD then insert your flash/removable drive.
We need to run an OTL Fix
  1. Please reopen on your desktop (currently booted using OTLPE CD).
  2. Copy and Paste the contents of the notepad that you saved in your flash/removable drive into the textbox. Do not include the word "Code"
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.


Please tell me if you can now boot in normal Windows.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 April 2010 - 02:36 AM

I had to run it twice. No log popped up. You said to click yes on the reboot and I did, but it didn't reboot so I had to click on restart computer. You also didn't state whether to take out the boot disk before it rebooted or not, so I didn't take it out. No log, so I ran the Fix again. Now it is at Do you want to reboot and I need to know whether to take the cd out or not.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:49 AM

Posted 04 April 2010 - 02:41 AM

Please remove the CD and try to boot normally. If you can't still boot normally, boot again using OTLPE CD and find the log here: C:\_OTL\MovedFiles

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 April 2010 - 03:16 AM

Comp froze and did not reboot. I had to manually reboot again. I rebooted without the cd:

Still cannot boot up normally. Same blue screen with different Technical information:

STOP: 0x0000007E (0xc0000005, 0cF74B67C0, 0xF78A2528, 0xF78A2224)

atapi.sys - Adress F74B67C0 base at F74A0000, DateStamp 4802539d

I booted up again to see if I could find the log for you.

Here is the first log from running the fix:

========== OTL ==========
File C:\WINDOWS\System32\4311B1459F.sys not found.
File C:\WINDOWS\System32\AD17282497.sys not found.
File/Folder C:\WINDOWS\System32\drivers\*.tmp not found.
File/Folder C:\WINDOWS\*.tmp not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Sherrie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTLPE by OldTimer - Version 3.1.37.1 log created on 04042010_033325

Here is the 2nd log after I had to reboot and run it again:

========== OTL ==========
File C:\WINDOWS\System32\4311B1459F.sys not found.
File C:\WINDOWS\System32\AD17282497.sys not found.
File/Folder C:\WINDOWS\System32\drivers\*.tmp not found.
File/Folder C:\WINDOWS\*.tmp not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Sherrie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTLPE by OldTimer - Version 3.1.37.1 log created on 04042010_045608

I left the otple screen up in case you wanted me to do something again






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users