Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches re-directed


  • This topic is locked This topic is locked
16 replies to this topic

#1 technik

technik

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 02 April 2010 - 05:35 PM

Hello,

When downloading what was thought to be a valid piece of software our PC became infected with what I believe is a rootkit. Comodo firewall warned of spoolsv being used by something (I think) which unfortunately my son allowed. Three files were downloaded and began attempting to access the internet, fortunately stopped by Comodo firewall. These processes were stopped and the files deleted:

D:\Alex$\Tmp\Lkg.exe
D:\Alex$\Tmp\Lkh.exe
C:\WINDOWS\Lcibia.exe

I also ran MBAM and Superantispyware which did not detect anything.

The symptoms are redirection of Google searches. I suspect a rootkit as we had a similar infection about 6 months ago. Thankfully you were able to help me then and thanks to additional precautions we remained clean until this unfortunate mistake - hopefully you can help again. Thanks in advance.

DDS log follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Alex at 22:08:40.90 on 02/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.768.260 [GMT 1:00]

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\3Com_DMI\3CDMINIC.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YVIBBBHA8C] d:\alex$\tmp\Lkh.exe
mRun: [TCASUTIEXE] TCAUDIAG.exe -off
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\CPF.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.162.189,93.188.161.116
TCP: {3059E4BD-DC9D-4132-BE8E-EAC383FCA9F6} = 93.188.162.189,93.188.161.116
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\vu7z1ob1.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-6-23 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 3ComDMIService;3Com DMI Agent;c:\windows\system32\3com_dmi\3CDMINIC.EXE [2006-4-23 114688]
R2 BCAITDI;3Com BCAITDI DMI TDI;c:\windows\system32\drivers\BCAITDI.SYS [2006-4-23 19470]
R2 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2008-3-1 361040]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-6-23 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2006-4-16 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2006-4-16 19534]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-6-23 108480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-03-18 17:27:42 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2003-07-17 11:26:58 448640 ----a-w- c:\windows\inf\EL2K_N64.sys
2003-07-17 11:22:10 147328 ----a-w- c:\windows\inf\EL2K_XP.sys
2003-06-03 16:47:54 147328 ----a-w- c:\windows\inf\EL2K_2K.sys

============= FINISH: 22:09:50.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 06 April 2010 - 01:25 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %appdata%\*.exe
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    sfcfiles.dll
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    beep.sys
    iaStor.sys
    nvstor.sys
    atapi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    iastorv.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 06 April 2010 - 02:55 PM

Hello Syler, thanks for your assistance. OTL reports follow:


OTL logfile created on: 06/04/2010 20:40:13 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Alex\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

768.00 Mb Total Physical Memory | 302.00 Mb Available Physical Memory | 39.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12.00 Gb Total Space | 1.43 Gb Free Space | 11.94% Space Free | Partition Type: NTFS
Drive D: | 4.00 Gb Total Space | 2.94 Gb Free Space | 73.62% Space Free | Partition Type: NTFS
Drive E: | 39.90 Gb Total Space | 7.20 Gb Free Space | 18.05% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: A2600PLUS
Current User Name: Alex
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/06 20:38:08 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
PRC - [2008/03/01 14:13:23 | 001,115,728 | ---- | M] (COMODO) -- C:\Program Files\Comodo\Firewall\cpf.exe
PRC - [2008/03/01 14:13:23 | 000,361,040 | ---- | M] (COMODO) -- C:\Program Files\Comodo\Firewall\cmdagent.exe
PRC - [2007/06/13 11:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/23 11:23:14 | 001,032,640 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KHost.exe
PRC - [2007/04/23 11:22:14 | 003,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
PRC - [2006/05/07 17:56:02 | 000,039,936 | ---- | M] (C-Dilla Ltd) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE
PRC - [2004/09/22 20:00:00 | 000,221,191 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe
PRC - [2004/09/22 20:00:00 | 000,094,208 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\shstat.exe
PRC - [2004/09/22 20:00:00 | 000,028,672 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
PRC - [2004/08/06 03:50:00 | 000,237,623 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2004/08/06 03:50:00 | 000,139,320 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
PRC - [2004/08/06 03:50:00 | 000,102,463 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PRC - [2003/10/07 09:48:56 | 000,147,514 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
PRC - [2003/05/05 08:57:30 | 000,143,360 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2003/03/04 08:38:04 | 000,114,688 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\3com_dmi\3CDMINIC.EXE
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 20:38:08 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
MOD - [2006/08/25 16:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (gupdate) Google Update Service (gupdate)
SRV - [2008/03/01 14:13:23 | 000,361,040 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\Comodo\Firewall\cmdagent.exe -- (CmdAgent)
SRV - [2007/04/23 11:22:14 | 003,068,352 | ---- | M] (Kontiki Inc.) [Auto | Running] -- C:\Program Files\Kontiki\KService.exe -- (KService)
SRV - [2006/11/06 15:21:10 | 000,210,432 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006/05/07 17:56:02 | 000,039,936 | ---- | M] (C-Dilla Ltd) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2004/09/22 20:00:00 | 000,221,191 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\VirusScan\Mcshield.exe -- (McShield)
SRV - [2004/09/22 20:00:00 | 000,028,672 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe -- (McTaskManager)
SRV - [2004/08/06 03:50:00 | 000,102,463 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2003/03/04 08:38:04 | 000,114,688 | ---- | M] (3Com Corporation) [Auto | Running] -- C:\WINDOWS\system32\3com_dmi\3CDMINIC.EXE -- (3ComDMIService)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/10/12 22:24:56 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/12 22:24:54 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/12 22:24:52 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2008/03/01 14:13:24 | 000,075,520 | ---- | M] (Comodo Research Lab., Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdmon.sys -- (CmdMon)
DRV - [2008/03/01 14:13:24 | 000,051,328 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2007/02/22 11:15:56 | 000,137,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (nmwcd)
DRV - [2007/02/22 11:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (nmwcdcm)
DRV - [2007/02/22 11:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (nmwcdcj)
DRV - [2007/02/22 11:15:14 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (nmwcdc)
DRV - [2005/11/03 15:40:07 | 000,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005/08/10 13:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/08/02 16:35:00 | 003,198,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/05/16 14:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005/01/14 20:00:00 | 000,108,480 | ---- | M] (Network Associates, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\naiavf5x.sys -- (NaiAvFilter1)
DRV - [2005/01/14 20:00:00 | 000,058,464 | ---- | M] (Network Associates, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mvstdi5x.sys -- (NaiAvTdi1)
DRV - [2005/01/14 20:00:00 | 000,008,320 | ---- | M] (Network Associates, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EntDrv51.sys -- (EntDrv51)
DRV - [2004/12/03 11:20:41 | 000,020,544 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - [2004/08/09 12:33:26 | 000,114,016 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2004/08/09 12:29:28 | 000,053,920 | ---- | M] (Protection Technology) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2004/08/04 00:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/07/19 15:49:54 | 000,007,040 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003/12/01 16:20:52 | 000,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/07/17 12:22:10 | 000,147,328 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EL2K_XP.sys -- (EL2000)
DRV - [2003/07/02 05:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/03/14 11:05:50 | 000,019,470 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BCAITDI.SYS -- (BCAITDI)
DRV - [2001/10/18 13:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys -- (ViaIde)
DRV - [2001/09/04 13:22:52 | 000,019,534 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TCAITDI.SYS -- (TCAITDI)
DRV - [2000/06/06 20:08:04 | 000,021,233 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\TCAICCHG.SYS -- (tcaicchg)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-308236825-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-1004336348-308236825-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google.co.uk"
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2006/06/23 15:11:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2010/04/05 15:59:33 | 000,000,000 | ---D | M]

[2009/11/13 21:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\vu7z1ob1.default\extensions
[2009/09/07 10:32:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\vu7z1ob1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/09 13:12:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/06/23 15:11:43 | 000,060,526 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2006/06/23 15:11:44 | 000,049,256 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2006/06/23 15:11:43 | 000,166,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2008/12/13 15:46:33 | 003,695,008 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2006/06/23 15:11:52 | 000,000,395 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.png
[2006/06/23 15:11:52 | 000,000,766 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.src
[2006/06/23 15:11:52 | 000,001,150 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.png
[2006/06/23 15:11:52 | 000,000,539 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.src
[2006/06/23 15:11:52 | 000,000,356 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.png
[2006/06/23 15:11:52 | 000,001,007 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.src
[2006/06/23 15:11:52 | 000,000,235 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\dictionary-en-GB.png
[2006/06/23 15:11:52 | 000,000,770 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\dictionary-en-GB.src
[2006/06/23 15:11:52 | 000,000,198 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.png
[2006/06/23 15:11:52 | 000,001,046 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.src
[2006/06/23 15:11:52 | 000,000,684 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google-en-GB.png
[2006/06/23 15:11:52 | 000,000,838 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google-en-GB.src
[2006/06/23 15:11:52 | 000,000,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.gif
[2006/06/23 15:11:52 | 000,001,203 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.src

O1 HOSTS File: ([2010/03/12 20:10:30 | 000,000,141 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [COMODO Firewall Pro] C:\Program Files\Comodo\Firewall\CPF.exe (COMODO)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Network Associates Error Reporting Service] C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe (Network Associates, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (Network Associates, Inc.)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TCASUTIEXE] C:\WINDOWS\System32\TCAUDIAG.EXE (3Com Corporation)
O4 - HKU\.DEFAULT..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-21-1004336348-308236825-725345543-1004..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-308236825-725345543-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1004336348-308236825-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1004336348-308236825-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1004336348-308236825-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Alex\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Alex\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/22 17:39:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/04/22 17:38:44 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/06 20:37:51 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
[2010/04/02 19:15:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alex\Application Data\WinRAR
[2010/03/18 18:27:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/10/24 00:02:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2009/07/22 15:58:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/07/22 15:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/13 19:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/12/30 17:24:49 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/04/22 17:43:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/04/22 17:39:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/06 20:38:08 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alex\Desktop\OTL.exe
[2010/04/06 17:16:30 | 000,029,204 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/04/06 17:14:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 17:14:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/06 09:47:22 | 009,961,472 | ---- | M] () -- C:\Documents and Settings\Alex\ntuser.dat
[2010/04/06 09:47:22 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Alex\ntuser.ini
[2010/04/05 15:33:51 | 000,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/05 15:33:51 | 000,000,281 | -HS- | M] () -- C:\boot.ini
[2010/04/05 15:33:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/04 16:40:52 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/04 14:39:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/02 22:08:07 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\dds.scr
[2010/04/02 20:51:06 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Alex\Desktop\gmer.zip
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 16:19:10 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/28 16:19:10 | 000,435,568 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/28 16:19:10 | 000,068,272 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/12 20:10:30 | 000,000,141 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/12 20:10:25 | 000,000,141 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100312-191030.backup
[2010/03/12 20:00:23 | 000,000,141 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100312-191025.backup
[2010/03/12 19:47:47 | 000,346,444 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100312-190023.backup
[2010/03/12 19:45:37 | 000,000,027 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100312-184747.backup
[2010/03/12 19:38:36 | 000,000,027 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100312-184537.backup
[2010/03/12 19:32:10 | 000,000,027 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100312-183836.backup
[2010/03/11 13:38:54 | 001,168,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2010/03/11 13:38:54 | 000,832,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2010/03/11 13:38:54 | 000,233,472 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\webcheck.dll
[2010/03/11 13:38:53 | 003,599,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2010/03/11 13:38:53 | 000,671,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll
[2010/03/11 13:38:53 | 000,671,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll
[2010/03/11 13:38:53 | 000,477,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll
[2010/03/11 13:38:53 | 000,459,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2010/03/11 13:38:53 | 000,459,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010/03/11 13:38:53 | 000,193,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msrating.dll
[2010/03/11 13:38:53 | 000,193,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msrating.dll
[2010/03/11 13:38:53 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2010/03/11 13:38:53 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2010/03/11 13:38:53 | 000,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2010/03/11 13:38:53 | 000,052,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2010/03/11 13:38:53 | 000,052,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010/03/11 13:38:53 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\pngfilt.dll
[2010/03/11 13:38:53 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pngfilt.dll
[2010/03/11 13:38:52 | 006,067,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2010/03/11 13:38:52 | 001,830,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2010/03/11 13:38:52 | 001,830,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2010/03/11 13:38:52 | 000,268,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010/03/11 13:38:52 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2010/03/11 13:38:52 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2010/03/11 13:38:52 | 000,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2010/03/11 13:38:52 | 000,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll
[2010/03/11 13:38:52 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iernonce.dll
[2010/03/11 13:38:52 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iernonce.dll
[2010/03/11 13:38:52 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2010/03/11 13:38:52 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2010/03/11 13:38:51 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2010/03/11 13:38:51 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2010/03/11 13:38:51 | 000,380,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieapfltr.dll
[2010/03/11 13:38:51 | 000,380,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2010/03/11 13:38:51 | 000,347,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dxtmsft.dll
[2010/03/11 13:38:51 | 000,347,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dxtmsft.dll
[2010/03/11 13:38:51 | 000,230,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieaksie.dll
[2010/03/11 13:38:51 | 000,230,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieaksie.dll
[2010/03/11 13:38:51 | 000,214,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dxtrans.dll
[2010/03/11 13:38:51 | 000,214,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dxtrans.dll
[2010/03/11 13:38:51 | 000,153,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieakeng.dll
[2010/03/11 13:38:51 | 000,153,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieakeng.dll
[2010/03/11 13:38:51 | 000,133,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\extmgr.dll
[2010/03/11 13:38:51 | 000,124,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advpack.dll
[2010/03/11 13:38:51 | 000,063,488 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2010/03/11 13:38:51 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\corpol.dll
[2010/03/11 13:38:51 | 000,017,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\corpol.dll
[2010/03/10 14:18:46 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2010/03/10 14:18:21 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieudinit.exe
[2010/03/10 14:18:21 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2010/03/10 14:18:20 | 000,070,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2010/03/10 14:18:20 | 000,070,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
[2010/03/10 10:35:50 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/02 22:07:51 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\dds.scr
[2010/04/02 20:51:05 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Alex\Desktop\gmer.zip
[2010/01/04 23:31:54 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2009/11/26 19:15:11 | 009,961,472 | ---- | C] () -- C:\Documents and Settings\Alex\ntuser.dat
[2008/02/28 16:16:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CrosswordAddict.ini
[2008/02/28 16:03:45 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2007/08/02 15:05:12 | 000,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/05/09 09:44:56 | 000,137,728 | ---- | C] () -- C:\Documents and Settings\Alex\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/02/20 14:28:13 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2007/02/20 14:28:13 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2006/07/24 20:19:37 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/24 20:19:36 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/24 20:19:35 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/24 20:19:32 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/24 20:19:32 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/07/24 20:19:32 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/01 23:10:25 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/06/01 23:06:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/05/01 15:08:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/04/30 17:00:01 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/04/30 17:00:01 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/04/30 17:00:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/04/30 17:00:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/04/30 17:00:01 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/04/30 17:00:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/04/30 16:59:27 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\cddvdint.dll
[2006/04/30 12:44:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/04/23 09:59:57 | 000,025,853 | R--- | C] () -- C:\WINDOWS\System32\sk98nt4.ini
[2006/04/23 09:59:57 | 000,025,853 | R--- | C] () -- C:\WINDOWS\System32\InstInfo.ini
[2006/04/22 18:43:26 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2006/04/22 18:03:00 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Alex\ntuser.dat.LOG
[2006/04/22 18:03:00 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Alex\ntuser.ini
[2006/04/16 19:26:50 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/12/07 12:31:00 | 000,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997/06/14 01:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Custom Scans ==========


< %appdata%\*.exe >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: [2004/08/04 13:00:00 | 000,095,360 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys

< MD5 for: BEEP.SYS >
[2004/08/04 13:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys
[2004/08/04 13:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\dllcache\beep.sys
[2004/08/04 13:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 13:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\system32\dllcache\proquota.exe
[2004/08/04 13:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\system32\proquota.exe
[2008/04/14 01:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

< MD5 for: SCECLI.DLL >
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< MD5 for: SFCFILES.DLL >
[2004/08/04 13:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\ERDNT\cache\sfcfiles.dll
[2004/08/04 13:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\system32\dllcache\sfcfiles.dll
[2004/08/04 13:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\system32\sfcfiles.dll
[2008/04/14 01:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll

< MD5 for: VIAMRAID.SYS >
[2004/07/06 23:45:42 | 000,060,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=44056E9FEE477F512EE58BCFEE949621 -- C:\WINDOWS\system32\drivers\viamraid.sys

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


OTL Extras logfile created on: 06/04/2010 20:40:13 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Alex\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

768.00 Mb Total Physical Memory | 302.00 Mb Available Physical Memory | 39.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12.00 Gb Total Space | 1.43 Gb Free Space | 11.94% Space Free | Partition Type: NTFS
Drive D: | 4.00 Gb Total Space | 2.94 Gb Free Space | 73.62% Space Free | Partition Type: NTFS
Drive E: | 39.90 Gb Total Space | 7.20 Gb Free Space | 18.05% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: A2600PLUS
Current User Name: Alex
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{026FE81A-DF00-40B0-B325-7F9C6921ED02}" = World Racing 2 Demo
"{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}" = Nokia Connectivity Cable Driver
"{0E7149AE-C198-4696-B5A0-D2C5C8758CB4}" = World Racing 2
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3741689E-584D-40C9-B011-373A0371846D}" = Nokia Software Updater
"{3D374523-CFDE-461A-827E-2A102E2AB365}" = Star Wars Battlefront II
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{5DF3D1BB-894E-4DCD-8275-159AC9829B43}" = McAfee VirusScan Enterprise
"{6ACA2FD2-4C4A-42F3-AFB5-7B433BBDF6DB}" = InterVideo WinDVD 6
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7845EB52-DF1E-4B5E-AB48-3012C0EF8D16}" = VCT
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{819A6E18-2533-4434-AB91-E5D95F3549A2}" = WR2 Demo ATS
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{9074AFC0-CFDA-11DE-B484-005056806466}" = Google Earth
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9720C029-0C2C-4D1E-9DE0-E89971C4C8C7}" = Silent Hunter III
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AB2347E4-153B-4194-AA3B-97C0A662B369}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A70700000002}" = Adobe Reader 7.0.8
"{B476C1F8-104B-498F-82AC-70E1E0A8166A}" = WR2 Demo Skoda
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"{C79CB9C7-10A4-4814-8402-F574672C2192}" = Star Wars Battlefront
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7CB214-DB11-4B5D-A6AF-3B4ED47C68B7}" = Microsoft Game Studios Common Redistributables Pack 1
"{D89AC4DF-7A00-4D0B-BA99-D582C7974A09}" = Nokia PC Suite
"{DFAE9340-E8BB-4433-9A08-C8334DAFE1B9}" = Star Wars Republic Commando
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"0852D05415AB9A4F1EF451E342267F76C776ED2F" = Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
"3ComDMI" = 3Com DMI Agent
"3ComNicUnInstall" = 3Com NIC Diagnostics
"4CFD94C379217A02D5EA067615FF789CD731BCDB" = Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Age of Mythology 1.0" = Age of Mythology
"Age of Mythology Expansion Pack 1.0" = Age of Mythology - The Titans Expansion
"Comanche 4" = Comanche 4
"COMODO Firewall Pro" = COMODO Firewall Pro
"CTDVDAudio Plugin" = Creative DVD Audio Plugin for Audigy Series
"ESET Online Scanner" = ESET Online Scanner v3
"Freelancer 1.0" = Freelancer
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{026FE81A-DF00-40B0-B325-7F9C6921ED02}" = World Racing 2 Demo
"InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"InstallShield_{819A6E18-2533-4434-AB91-E5D95F3549A2}" = WR2 Demo ATS
"InstallShield_{9720C029-0C2C-4D1E-9DE0-E89971C4C8C7}" = Silent Hunter III
"InstallShield_{B476C1F8-104B-498F-82AC-70E1E0A8166A}" = WR2 Demo Skoda
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"InterActual Player" = InterActual Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Midtown Madness 1.0" = Microsoft Midtown Madness
"Mozilla Firefox (1.5)" = Mozilla Firefox (1.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 6.0" = RealPlayer
"RiseOfNations 1.0" = Microsoft Rise Of Nations
"RiseofNationsExpansion 1.0" = Rise of Nations Thrones and Patriots
"Tachyon" = Tachyon
"TmNations_is1" = TrackMania Nations ESWC 0.1.7.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/01/2010 20:45:57 | Computer Name = A2600PLUS | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Network Associates\VirusScan\Mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 720 (0x2d0) Thread address : 0x120F8C13 Thread message : Build Aug 20 2004
04:46:11 / 5400.1158 Object being scanned = \Device\HarddiskVolume1\Documents and
Settings\Alex\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe

by SUPERAntiSpywar 27001(328)(0) 10010(328)(8192) 24000(328)(11) 10006(328)(0)
27000(328)(26) 27001(328)(0) 10010(328)(1) 24000(328)(16)

Error - 20/01/2010 20:51:26 | Computer Name = A2600PLUS | Source = McLogEvent | ID = 1008
Description = The McShield service terminated unexpectedly. Please review event 5019
or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 26/01/2010 09:09:12 | Computer Name = A2600PLUS | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Network Associates\VirusScan\Mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 1692 (0x69c) Thread address : 0x120F8C13 Thread message : Build Aug 20 2004
04:46:11 / 5400.1158 Object being scanned = \Device\HarddiskVolume1\Documents and
Settings\Alex\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe

by SUPERAntiSpywar 27001(360)(0) 10010(360)(8192) 24000(360)(11) 10006(360)(0)
27000(360)(26) 27001(360)(0) 10010(360)(1) 24000(360)(16)

Error - 26/01/2010 09:14:41 | Computer Name = A2600PLUS | Source = McLogEvent | ID = 1008
Description = The McShield service terminated unexpectedly. Please review event 5019
or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 03/02/2010 08:58:51 | Computer Name = A2600PLUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 03/02/2010 08:58:51 | Computer Name = A2600PLUS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3921C115C15D0ECA5CCB5BC4F07D21D8050B566A.crt>
with error: The server name or address could not be resolved

Error - 03/02/2010 08:58:51 | Computer Name = A2600PLUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 08/02/2010 05:56:31 | Computer Name = A2600PLUS | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Network Associates\VirusScan\Mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 460 (0x1cc) Thread address : 0x120F855A Thread message : Build Aug 20 2004
04:46:11 / 5400.1158 Object being scanned = \Device\HarddiskVolume1\Documents and
Settings\Alex\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe

by shcfg32.exe 27001(313)(0) 10010(313)(8192) 24000(313)(11) 10006(313)(0) 27000(313)(26)

27001(313)(0) 10010(313)(1) 24000(313)(16)

Error - 08/02/2010 05:58:12 | Computer Name = A2600PLUS | Source = McLogEvent | ID = 1008
Description = The McShield service terminated unexpectedly. Please review event 5019
or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 08/02/2010 17:40:26 | Computer Name = A2600PLUS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16981, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 29/03/2010 09:54:48 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 1 time(s).

Error - 01/04/2010 05:22:44 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 1 time(s).

Error - 01/04/2010 05:36:54 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 01/04/2010 12:39:23 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 1 time(s).

Error - 02/04/2010 14:55:21 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 1 time(s).

Error - 02/04/2010 15:13:34 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 2 time(s).

Error - 03/04/2010 07:51:42 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 3 time(s).

Error - 03/04/2010 07:55:17 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7034
Description = The Network Associates McShield service terminated unexpectedly.
It has done this 4 time(s).

Error - 05/04/2010 06:04:29 | Computer Name = A2600PLUS | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 05/04/2010 09:27:29 | Computer Name = A2600PLUS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
uagp35


< End of report >



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 06 April 2010 - 03:23 PM

Hi technik,

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c C:\WINDOWS\system32\dllcache\atapi.sys c:\atapi.sys
  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    SRV - File not found [Disabled | Stopped] -- -- (gupdate) Google Update Service (gupdate)
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride"=dword:00000000
    :files
    C:\WINDOWS\system32\drivers\atapi.sys | C:\atapi.sys /replace
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it in your reply.

Thanks

unite.jpg


#5 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 06 April 2010 - 04:17 PM

Okay, ran OTL Run Fix with the following log:

All processes killed
========== OTL ==========
Error: No service named gupdate) Google Update Service (gupdate was found to stop!
Service\Driver key gupdate) Google Update Service (gupdate not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"AntiVirusOverride"|dword:00000000 /E : value set successfully!
========== FILES ==========
File C:\atapi.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Alex
->Temp folder emptied: 0 bytes
->FireFox cache emptied: 6652309 bytes
->Flash cache emptied: 117128 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: local-admin
->Temp folder emptied: 0 bytes
->FireFox cache emptied: 727998 bytes

User: LocalService
->Temp folder emptied: 66016 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

User: Sysmgr
->Temp folder emptied: 0 bytes
->FireFox cache emptied: 727998 bytes
->Flash cache emptied: 405 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 52154368 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 8027327 bytes

Total Files Cleaned = 67.00 mb


[EMPTYFLASH]

User: Alex
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: local-admin

User: LocalService

User: NetworkService

User: Sysmgr
->Flash cache emptied: 0 bytes

User: TEMP
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.1.0 log created on 04062010_220258

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\WFV19.tmp not found!

Registry entries deleted on Reboot...


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 07 April 2010 - 09:16 AM

Well that didn't go rite, the file obvious did not copy correctly in the first part, partly my error, please do these
steps again and if the file doesn't get copied then let me know before you run OTL.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /k copy C:\WINDOWS\system32\dllcache\atapi.sys c:\atapi.sys
  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :files
    C:\WINDOWS\system32\drivers\atapi.sys | C:\atapi.sys /replace
    :Commands
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it in your reply.
Thanks

Edited by syler, 07 April 2010 - 09:16 AM.

unite.jpg


#7 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 07 April 2010 - 11:18 AM

Right, this time the command prompt window popped up and stayed open - last night it opened only for a moment, so perhaps that was my fault. I entered the short code and ran OTL again (Run Fix) which completed its scan very quickly and then rebooted. On restarting OTL asked to run again and provided this report (which I'm guessing is not what you wanted to see...?) :

========== FILES ==========
Unable to replace file: C:\WINDOWS\system32\drivers\atapi.sys with C:\atapi.sys without a reboot.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.1.0 log created on 04072010_170629

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Edited by technik, 07 April 2010 - 11:31 AM.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 07 April 2010 - 12:40 PM

The command prompt not staying open was my fault I didn't give you the rite code. Your rite the OTL log did not
show what I wanted to see, but it's no problem we will take it out another way : )

  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Double click on TDSSKiller.exe to run it.
  • If it finds something and asks you what to do, follow the instructions to type in "delete".
  • When done, a log file should be created on your C: drive called TDSSKiller.txt(with time+date appended) please post this log in your next reply.

unite.jpg


#9 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 07 April 2010 - 12:54 PM

I think that one found it:

18:45:08:078 4008 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
18:45:08:078 4008 ================================================================================
18:45:08:078 4008 SystemInfo:

18:45:08:078 4008 OS Version: 5.1.2600 ServicePack: 2.0
18:45:08:078 4008 Product type: Workstation
18:45:08:093 4008 ComputerName: A2600PLUS
18:45:08:093 4008 UserName: Alex
18:45:08:093 4008 Windows directory: C:\WINDOWS
18:45:08:093 4008 Processor architecture: Intel x86
18:45:08:093 4008 Number of processors: 1
18:45:08:093 4008 Page size: 0x1000
18:45:08:093 4008 Boot type: Normal boot
18:45:08:093 4008 ================================================================================
18:45:08:093 4008 UnloadDriverW: NtUnloadDriver error 2
18:45:08:093 4008 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:45:08:359 4008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:45:08:359 4008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:45:08:359 4008 wfopen_ex: Trying to KLMD file open
18:45:08:359 4008 wfopen_ex: File opened ok (Flags 2)
18:45:08:359 4008 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:45:08:359 4008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:45:08:359 4008 wfopen_ex: Trying to KLMD file open
18:45:08:359 4008 wfopen_ex: File opened ok (Flags 2)
18:45:08:359 4008 Initialize success
18:45:08:359 4008
18:45:08:375 4008 Scanning Services ...
18:45:08:906 4008 Raw services enum returned 332 services
18:45:08:921 4008
18:45:08:921 4008 Scanning Kernel memory ...
18:45:08:921 4008 Devices to scan: 4
18:45:08:921 4008
18:45:08:921 4008 Driver Name: Disk
18:45:08:921 4008 IRP_MJ_CREATE : F7584C30
18:45:08:921 4008 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
18:45:08:921 4008 IRP_MJ_CLOSE : F7584C30
18:45:08:921 4008 IRP_MJ_READ : F757ED9B
18:45:08:921 4008 IRP_MJ_WRITE : F757ED9B
18:45:08:921 4008 IRP_MJ_QUERY_INFORMATION : 804FB8EE
18:45:08:921 4008 IRP_MJ_SET_INFORMATION : 804FB8EE
18:45:08:921 4008 IRP_MJ_QUERY_EA : 804FB8EE
18:45:08:921 4008 IRP_MJ_SET_EA : 804FB8EE
18:45:08:921 4008 IRP_MJ_FLUSH_BUFFERS : F757F366
18:45:08:921 4008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
18:45:08:921 4008 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
18:45:08:921 4008 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
18:45:08:921 4008 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
18:45:08:921 4008 IRP_MJ_DEVICE_CONTROL : F757F44D
18:45:08:921 4008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7582FC3
18:45:08:921 4008 IRP_MJ_SHUTDOWN : F757F366
18:45:08:921 4008 IRP_MJ_LOCK_CONTROL : 804FB8EE
18:45:08:921 4008 IRP_MJ_CLEANUP : 804FB8EE
18:45:08:921 4008 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
18:45:08:921 4008 IRP_MJ_QUERY_SECURITY : 804FB8EE
18:45:08:921 4008 IRP_MJ_SET_SECURITY : 804FB8EE
18:45:08:921 4008 IRP_MJ_POWER : F7580EF3
18:45:08:921 4008 IRP_MJ_SYSTEM_CONTROL : F7585A24
18:45:08:921 4008 IRP_MJ_DEVICE_CHANGE : 804FB8EE
18:45:08:921 4008 IRP_MJ_QUERY_QUOTA : 804FB8EE
18:45:08:921 4008 IRP_MJ_SET_QUOTA : 804FB8EE
18:45:08:937 4008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:45:08:937 4008
18:45:08:937 4008 Driver Name: Disk
18:45:08:937 4008 IRP_MJ_CREATE : F7584C30
18:45:08:937 4008 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
18:45:08:937 4008 IRP_MJ_CLOSE : F7584C30
18:45:08:937 4008 IRP_MJ_READ : F757ED9B
18:45:08:937 4008 IRP_MJ_WRITE : F757ED9B
18:45:08:937 4008 IRP_MJ_QUERY_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_QUERY_EA : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_EA : 804FB8EE
18:45:08:937 4008 IRP_MJ_FLUSH_BUFFERS : F757F366
18:45:08:937 4008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
18:45:08:937 4008 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
18:45:08:937 4008 IRP_MJ_DEVICE_CONTROL : F757F44D
18:45:08:937 4008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7582FC3
18:45:08:937 4008 IRP_MJ_SHUTDOWN : F757F366
18:45:08:937 4008 IRP_MJ_LOCK_CONTROL : 804FB8EE
18:45:08:937 4008 IRP_MJ_CLEANUP : 804FB8EE
18:45:08:937 4008 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
18:45:08:937 4008 IRP_MJ_QUERY_SECURITY : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_SECURITY : 804FB8EE
18:45:08:937 4008 IRP_MJ_POWER : F7580EF3
18:45:08:937 4008 IRP_MJ_SYSTEM_CONTROL : F7585A24
18:45:08:937 4008 IRP_MJ_DEVICE_CHANGE : 804FB8EE
18:45:08:937 4008 IRP_MJ_QUERY_QUOTA : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_QUOTA : 804FB8EE
18:45:08:937 4008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:45:08:937 4008
18:45:08:937 4008 Driver Name: Disk
18:45:08:937 4008 IRP_MJ_CREATE : F7584C30
18:45:08:937 4008 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE
18:45:08:937 4008 IRP_MJ_CLOSE : F7584C30
18:45:08:937 4008 IRP_MJ_READ : F757ED9B
18:45:08:937 4008 IRP_MJ_WRITE : F757ED9B
18:45:08:937 4008 IRP_MJ_QUERY_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_QUERY_EA : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_EA : 804FB8EE
18:45:08:937 4008 IRP_MJ_FLUSH_BUFFERS : F757F366
18:45:08:937 4008 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE
18:45:08:937 4008 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE
18:45:08:937 4008 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE
18:45:08:937 4008 IRP_MJ_DEVICE_CONTROL : F757F44D
18:45:08:937 4008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7582FC3
18:45:08:937 4008 IRP_MJ_SHUTDOWN : F757F366
18:45:08:937 4008 IRP_MJ_LOCK_CONTROL : 804FB8EE
18:45:08:937 4008 IRP_MJ_CLEANUP : 804FB8EE
18:45:08:937 4008 IRP_MJ_CREATE_MAILSLOT : 804FB8EE
18:45:08:937 4008 IRP_MJ_QUERY_SECURITY : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_SECURITY : 804FB8EE
18:45:08:937 4008 IRP_MJ_POWER : F7580EF3
18:45:08:937 4008 IRP_MJ_SYSTEM_CONTROL : F7585A24
18:45:08:937 4008 IRP_MJ_DEVICE_CHANGE : 804FB8EE
18:45:08:937 4008 IRP_MJ_QUERY_QUOTA : 804FB8EE
18:45:08:937 4008 IRP_MJ_SET_QUOTA : 804FB8EE
18:45:08:953 4008 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:45:08:953 4008
18:45:08:953 4008 Driver Name: atapi
18:45:08:953 4008 IRP_MJ_CREATE : F747A9F2
18:45:08:953 4008 IRP_MJ_CREATE_NAMED_PIPE : F747A9F2
18:45:08:953 4008 IRP_MJ_CLOSE : F747A9F2
18:45:08:953 4008 IRP_MJ_READ : F747A9F2
18:45:08:953 4008 IRP_MJ_WRITE : F747A9F2
18:45:08:953 4008 IRP_MJ_QUERY_INFORMATION : F747A9F2
18:45:08:953 4008 IRP_MJ_SET_INFORMATION : F747A9F2
18:45:08:953 4008 IRP_MJ_QUERY_EA : F747A9F2
18:45:08:953 4008 IRP_MJ_SET_EA : F747A9F2
18:45:08:953 4008 IRP_MJ_FLUSH_BUFFERS : F747A9F2
18:45:08:953 4008 IRP_MJ_QUERY_VOLUME_INFORMATION : F747A9F2
18:45:08:953 4008 IRP_MJ_SET_VOLUME_INFORMATION : F747A9F2
18:45:08:953 4008 IRP_MJ_DIRECTORY_CONTROL : F747A9F2
18:45:08:953 4008 IRP_MJ_FILE_SYSTEM_CONTROL : F747A9F2
18:45:08:953 4008 IRP_MJ_DEVICE_CONTROL : F747A9F2
18:45:08:953 4008 IRP_MJ_INTERNAL_DEVICE_CONTROL : F747A9F2
18:45:08:953 4008 IRP_MJ_SHUTDOWN : F747A9F2
18:45:08:953 4008 IRP_MJ_LOCK_CONTROL : F747A9F2
18:45:08:953 4008 IRP_MJ_CLEANUP : F747A9F2
18:45:08:953 4008 IRP_MJ_CREATE_MAILSLOT : F747A9F2
18:45:08:953 4008 IRP_MJ_QUERY_SECURITY : F747A9F2
18:45:08:953 4008 IRP_MJ_SET_SECURITY : F747A9F2
18:45:08:953 4008 IRP_MJ_POWER : F747A9F2
18:45:08:953 4008 IRP_MJ_SYSTEM_CONTROL : F747A9F2
18:45:08:953 4008 IRP_MJ_DEVICE_CHANGE : F747A9F2
18:45:08:953 4008 IRP_MJ_QUERY_QUOTA : F747A9F2
18:45:08:953 4008 IRP_MJ_SET_QUOTA : F747A9F2
18:45:08:953 4008 Driver "atapi" infected by TDSS rootkit!
18:45:08:968 4008 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
18:45:08:968 4008 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 18:45:08:968 4008 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:45:08:968 4008 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:45:09:312 4008 vfvi6
18:45:09:343 4008 !dsvbh1
18:45:09:734 4008 dsvbh2
18:45:09:734 4008 fdfb2
18:45:09:734 4008 Backup copy found, using it..
18:45:09:906 4008 will be cured on next reboot
18:45:09:906 4008 Reboot required for cure complete..
18:45:10:093 4008 Cure on reboot scheduled successfully
18:45:10:093 4008
18:45:10:093 4008 Completed
18:45:10:093 4008
18:45:10:093 4008 Results:
18:45:10:093 4008 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
18:45:10:093 4008 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:45:10:093 4008 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:45:10:093 4008
18:45:10:093 4008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:45:10:093 4008 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:45:10:093 4008 UnloadDriverW: NtUnloadDriver error 1
18:45:10:109 4008 KLMD(ARK) unloaded successfully


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 07 April 2010 - 01:10 PM

Yep it looks like it has taken care of it, let's do a final check to make sure nothing else is lurking.


You don't have the latest version of Java, you should run JavaRa to clean up any older Java, then
download and install the latest version from here.

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • ESET report
  • New DDS log

Thanks

unite.jpg


#11 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 07 April 2010 - 04:49 PM

Hi Syler, ESET completed its scan without detecting anything (hence no report). The DDS log is below and google searches no longer appear to be redirected. I'll wait for your 'all clear' but it's looking good!

DDS (Ver_10-03-17.01) - NTFSx86
Run by Alex at 22:38:32.09 on 07/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.768.315 [GMT 1:00]

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\3Com_DMI\3CDMINIC.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TCASUTIEXE] TCAUDIAG.exe -off
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\CPF.exe" /background
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\vu7z1ob1.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-6-23 58464]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 3ComDMIService;3Com DMI Agent;c:\windows\system32\3com_dmi\3CDMINIC.EXE [2006-4-23 114688]
R2 BCAITDI;3Com BCAITDI DMI TDI;c:\windows\system32\drivers\BCAITDI.SYS [2006-4-23 19470]
R2 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2008-3-1 361040]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-6-23 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2006-4-16 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2006-4-16 19534]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-6-23 108480]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-04-06 21:02:58 0 d-----w- C:\_OTL
2010-03-18 17:27:42 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-04-07 17:46:54 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2003-07-17 11:26:58 448640 ----a-w- c:\windows\inf\EL2K_N64.sys
2003-07-17 11:22:10 147328 ----a-w- c:\windows\inf\EL2K_XP.sys
2003-06-03 16:47:54 147328 ----a-w- c:\windows\inf\EL2K_2K.sys

============= FINISH: 22:39:35.50 ===============


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 08 April 2010 - 07:58 AM

Hi technik,

That's great your logs look fine to me now.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Note: This does not need to be done on a regular basis.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Update Windows
You don't have the latest service pack for windows, The service packs patch security vulnerabilities found in windows. You should
keep these upto date to keep you protected against malware, that can take advantage of these security vulnerabilities to attack
your system.The latest service pack is SP3, Click on Start >> All programs >> Windows update then select Express
and allow it to install all updates including SP3.
Note: If it prompts you to install an ActiveX control allow it to install it.

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure all programs are updated
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Calendar of Updates or you can install Secunia PSI.

Install Sanboxie
Sandboxie is a great program to help protect you against malware, working inside Sandboxie will basically mean that,
what you are doing will not make a permenant changes to your system, unless you allow it too. So you can be surfing
the web inside Sandboxie then if you happen to stumble upon a bad site and get infected, you can simply delete the
Sanbox and all is gone. Having said that, it can not be considered 100% secure as no program can be, but it can be
a great help and is an excellent program. You can find a download link and more information about the program here.

Secure your browsing
Firefox is generally considered to be a lot safer that Internet Explorer, I would recommend that you install Firefox and install
some addons that will make the browser even safer. You can download the latest version of Firefox here, if you already
have firefox these are some good addons.

Recommended addons
NoScript
Adblock Plus
WOT

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs. You can find a tutorial and download link here.

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions here.


Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

Edited by syler, 08 April 2010 - 08:00 AM.

unite.jpg


#13 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 08 April 2010 - 09:20 AM

Thanks Syler, you're a hero (excuse the pun - suggested by my son thumbup2.gif ). Can I just delete TDSS Killer and JavaRa from the desktop? Also, do I need to install Java again, or can we live without it?

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:53 PM

Posted 08 April 2010 - 09:37 AM

You're most welcome, I like the pun smile.gif

Yes you can just manually delete any tool that are left, as for Java you don't have to reinstall it but a lot of web sites
use Java, so at some point you will probably be prompted to install it.

unite.jpg


#15 technik

technik
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 08 April 2010 - 05:27 PM

Okay tools removed, Java updated, restore points cleaned and have updated XP to SP3. I'll also update our antivirus and take a look at SpywareBlaster too. All seems to be running normally so thanks again for your help and advice.

Edited by technik, 08 April 2010 - 05:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users