Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect / TDSS Rootkit infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 ricker2005

ricker2005

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 06 April 2010 - 10:58 AM

A few days ago Google Chrome stopped loading pages, including the bookmarks page. It just looks like the page is trying to load but nothing comes up and eventually I get an option to stop the loading. I switched to Firefox to look for possible causes and noticed that I was being redirected to "anti-spyware" websites when I clicked on links in both Google and Bing. Spybot: Search and Destroy and MalwareByte's Anti-Malware did not solve the problem. I eventually was directed to TDSSkiller, which said that atapi.sys was infected. The program said that the file would be fixed on reboot but the file is still infected and I'm still having the same problems. A few other programs also failed to solve the problem.

I ran the three programs from your preparation guide and while I was running GMER I started getting warnings from a fake anti-spyware program. After GMER was finished, I wasn't able to run either Firefox or MalwareByte's. Spybot found five new malware programs that I removed. I was then able to run MalwareByte's, which found and removed three more programs.

So I'm back where I started. I no longer have fake anti-spyware popups but my atapi.sys file is still infected, Google Chrome doesn't work, and I'm still getting redirected from search results. This one is out of my league. Any help is appreciated.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Rick Crist at 23:58:40.96 on Mon 04/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.450 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100405-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rick Crist\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://pulse.jefferson.edu/
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [WebCamRT.exe]
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\rick crist\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rickcr~1\applic~1\mozilla\firefox\profiles\7ks8e642.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\rick crist\application data\mozilla\firefox\profiles\7ks8e642.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\rick crist\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-9 138680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-27 24652]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-9 352920]
S0 dpm6b1c;dpm6b1c;\SystemRoot\\SystemRoot\System32\drivers\dpm6b1c.sys --> \SystemRoot\\SystemRoot\System32\drivers\dpm6b1c.sys [?]
S1 80708658.sys;80708658.sys;\??\c:\windows\system32\drivers\80708658.sys --> c:\windows\system32\drivers\80708658.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-9 254040]

=============== Created Last 30 ================

2010-04-06 03:55:16 0 ----a-w- c:\documents and settings\rick crist\defogger_reenable
2010-04-05 23:52:53 0 d-sha-r- C:\cmdcons
2010-04-05 23:51:31 0 d-----w- C:\ComboFix
2010-04-05 03:53:33 98816 ----a-w- c:\windows\sed.exe
2010-04-05 03:53:33 77312 ----a-w- c:\windows\MBR.exe
2010-04-05 03:53:33 261632 ----a-w- c:\windows\PEV.exe
2010-04-05 03:53:33 161792 ----a-w- c:\windows\SWREG.exe
2010-04-05 01:56:16 178000 ----a-w- C:\TDSSKiller.exe
2010-03-22 01:23:34 0 d-----w- c:\program files\Veetle
2010-03-22 00:55:33 4365 ----a-w- C:\bookmarks.htm
2010-03-14 16:17:01 10051096 ----a-w- C:\Opera_1050_en_Setup.exe
2010-03-10 19:04:58 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-06 03:15:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 04:57:43 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:57:36 1024000 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-02-26 19:35:08 3073024 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-02-25 11:17:33 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe

============= FINISH: 23:59:41.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 09 April 2010 - 11:40 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %appdata%\*.exe
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    sfcfiles.dll
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    beep.sys
    iaStor.sys
    nvstor.sys
    atapi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    iastorv.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Then please post back here with the following logs:
  • MBAM log
  • OTL.txt
  • Extra.txt

Thanks

unite.jpg


#3 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 09 April 2010 - 08:09 PM

Hi Syler. Thanks for taking the time to help me out. Here are the logs you requested.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3973

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/9/2010 8:54:53 PM
mbam-log-2010-04-09 (20-54-53).txt

Scan type: Quick scan
Objects scanned: 111180
Time elapsed: 9 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL logfile created on: 4/9/2010 8:58:19 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Rick Crist\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 395.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 89.05 Gb Total Space | 55.29 Gb Free Space | 62.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RICHARDCRIST
Current User Name: Rick Crist
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/09 20:47:18 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
PRC - [2010/02/25 22:59:43 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/24 19:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/05/19 01:23:16 | 000,049,968 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2008/11/06 13:33:00 | 000,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 11:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (IntelŪ Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 11:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 11:13:26 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/09/13 17:33:20 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 15:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2003/10/29 04:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/04/09 20:47:18 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 19:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) IntelŪ
SRV - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (IntelŪ Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) IntelŪ
SRV - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) IntelŪ
SRV - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) IntelŪ
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2002/03/15 16:37:46 | 000,081,920 | R--- | M] (HP) [Disabled | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/11/24 19:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 19:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 19:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 19:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 19:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 19:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/08 13:41:49 | 000,045,344 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\dpm6b1c.sys -- (dpm6b1c)
DRV - [2007/05/18 16:54:10 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2007/02/21 11:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/08 13:51:16 | 002,209,408 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) IntelŪ
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/09/28 19:55:50 | 000,077,568 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\WudfPf.sys -- (WudfPf)
DRV - [2005/03/10 23:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/12/06 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 02:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 02:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 02:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/04 04:34:26 | 000,800,768 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/12/01 04:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 03:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/11/16 17:03:52 | 000,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/07/14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/30 10:39:36 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | On_Demand | Running] -- C:\Program Files\Dell\NicConfigSvc\Appdrv.sys -- (Appdrv)
DRV - [2004/06/17 21:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 21:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 21:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/26 21:18:18 | 000,044,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2004/02/13 17:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2002/06/10 14:16:34 | 000,371,766 | ---- | M] (Philips Semiconductors) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CamDrL21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pulse.jefferson.edu/
IE - HKU\S-1-5-21-3980743763-604523156-809557890-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/25 23:00:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/08 21:49:57 | 000,000,000 | ---D | M]

[2009/01/31 17:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick Crist\Application Data\Mozilla\Extensions
[2010/04/09 20:48:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\extensions
[2009/04/08 19:15:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\extensions\moveplayer@movenetworks.com
[2010/04/09 20:48:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/04/05 00:05:29 | 000,000,027 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKU\S-1-5-21-3980743763-604523156-809557890-1005..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-3980743763-604523156-809557890-1005..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-3980743763-604523156-809557890-1005..\Run: [WebCamRT.exe] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {88485281-8b4b-4f8d-9ede-82e29a064277} - C:\Program Files\MarkAny\ContentSafer\MACSMANAGER.dll (MarkAny Cooperation.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/01/07 11:14:24 | 000,688,128 | ---- | M] (University of British Columbia) - C:\autostitch.exe -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 18:02:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point (67849080138629120)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/09 20:47:16 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
[2010/04/08 21:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/08 21:49:57 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/08 21:49:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/08 21:49:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/08 21:49:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/08 21:49:57 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/08 21:09:54 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/08 20:50:45 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/08 20:50:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/08 20:50:11 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\HitmanPro35.exe
[2010/04/08 20:44:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/08 20:26:34 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rick Crist\PrivacIE
[2010/04/08 20:19:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rick Crist\IETldCache
[2010/04/08 20:10:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2010/04/08 20:08:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/04/08 20:08:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2010/04/08 19:58:34 | 016,883,056 | ---- | C] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-ENU.exe
[2010/04/08 19:28:11 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Rick Crist\Desktop\TDSSKiller.exe
[2010/04/06 01:09:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rick Crist\Recent
[2010/04/06 00:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/06 00:12:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/06 00:12:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/05 19:52:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/05 19:51:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/04 23:53:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/04 23:53:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/04 23:53:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/04 23:53:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/04 23:53:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/04 23:52:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/04 21:56:16 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\TDSSKiller.exe
[2010/04/03 08:57:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/21 21:23:34 | 000,000,000 | ---D | C] -- C:\Program Files\Veetle
[2010/03/21 21:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick Crist\Desktop\Downloads
[2010/03/20 23:38:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\Temp
[2010/03/20 23:38:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\Google
[2010/03/14 12:17:01 | 010,051,096 | ---- | C] (Opera Software ASA ) -- C:\Opera_1050_en_Setup.exe
[2008/12/27 12:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/11/09 18:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2008/07/05 11:02:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/09/17 14:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2005/09/17 14:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2004/08/11 18:20:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/08/11 18:06:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[237 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/09 20:47:18 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
[2010/04/09 20:43:07 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005UA.job
[2010/04/09 20:36:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/09 20:35:48 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/04/09 20:35:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/09 20:35:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/09 20:35:29 | 1073,180,672 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/09 04:37:24 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Rick Crist\NTUSER.DAT
[2010/04/09 04:37:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\ntuser.ini
[2010/04/08 23:43:02 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005Core.job
[2010/04/08 23:17:05 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/08 22:39:18 | 007,331,476 | -H-- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\IconCache.db
[2010/04/08 21:49:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/08 21:49:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/08 21:49:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/08 21:49:15 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/08 21:49:14 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/08 21:09:54 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/08 21:04:30 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/08 20:50:23 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\HitmanPro35.exe
[2010/04/08 19:59:20 | 016,883,056 | ---- | M] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-ENU.exe
[2010/04/08 19:59:20 | 000,002,323 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\Google Chrome.lnk
[2010/04/08 19:26:38 | 003,909,898 | R--- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\billy.exe
[2010/04/06 01:59:53 | 000,012,238 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/06 01:59:53 | 000,012,238 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
[2010/04/06 00:57:36 | 000,012,276 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\847287338
[2010/04/06 00:57:36 | 000,012,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2471283965
[2010/04/06 00:57:30 | 000,012,266 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\2471283965
[2010/04/06 00:16:53 | 000,012,306 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\847287338
[2010/04/05 23:56:33 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\dds.scr
[2010/04/05 23:55:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rick Crist\defogger_reenable
[2010/04/05 23:54:43 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\Defogger.exe
[2010/04/05 19:53:00 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/05 18:41:20 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\r0i9ftvs.exe
[2010/04/05 00:05:29 | 000,000,027 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/03 09:21:51 | 000,870,128 | ---- | M] () -- C:\WINDOWS\System32\mcs.rma
[2010/04/03 09:21:51 | 000,000,004 | ---- | M] () -- C:\WINDOWS\System32\1E2147
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/23 07:32:35 | 000,382,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/23 07:32:35 | 000,053,838 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/23 07:32:33 | 000,441,626 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\TDSSKiller.exe
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Rick Crist\Desktop\TDSSKiller.exe
[2010/03/21 20:55:33 | 000,004,365 | ---- | M] () -- C:\bookmarks.htm
[2010/03/14 12:17:53 | 010,051,096 | ---- | M] (Opera Software ASA ) -- C:\Opera_1050_en_Setup.exe
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[237 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/08 20:59:54 | 1073,180,672 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/08 20:50:54 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/08 19:26:37 | 003,909,898 | R--- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\billy.exe
[2010/04/06 00:17:27 | 000,012,276 | -HS- | C] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\847287338
[2010/04/06 00:17:27 | 000,012,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2471283965
[2010/04/06 00:17:27 | 000,012,266 | -HS- | C] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\2471283965
[2010/04/06 00:14:48 | 000,012,306 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\847287338
[2010/04/06 00:14:48 | 000,012,238 | -HS- | C] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/06 00:13:30 | 000,013,678 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/06 00:13:30 | 000,012,238 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
[2010/04/05 23:56:32 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\dds.scr
[2010/04/05 23:55:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rick Crist\defogger_reenable
[2010/04/05 23:54:42 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\Defogger.exe
[2010/04/05 19:53:00 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/05 19:52:56 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/05 18:41:18 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\r0i9ftvs.exe
[2010/04/04 23:53:33 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 23:53:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/04 23:53:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/04 23:53:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 23:53:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/21 20:55:33 | 000,004,365 | ---- | C] () -- C:\bookmarks.htm
[2010/03/20 23:44:17 | 000,002,323 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\Google Chrome.lnk
[2010/03/20 23:38:29 | 000,000,998 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005UA.job
[2010/03/20 23:38:28 | 000,000,946 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005Core.job
[2009/09/06 11:46:06 | 000,045,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\dpm6b1c.sys
[2009/03/28 15:25:29 | 000,000,225 | ---- | C] () -- C:\WINDOWS\AndreaMosaic.INI
[2006/12/09 20:39:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/09/28 19:55:50 | 000,077,568 | ---- | C] () -- C:\WINDOWS\System32\drivers\WudfPf.sys
[2006/09/05 20:00:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rick Crist\.cachedpedigree.xml
[2006/06/11 20:25:28 | 000,000,643 | ---- | C] () -- C:\WINDOWS\tlknw20.ini
[2006/05/05 16:55:05 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/10 13:38:22 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2005/12/10 13:38:18 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2005/12/10 13:29:37 | 000,552,960 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2005/11/23 20:18:29 | 000,000,092 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/10/13 23:11:24 | 000,000,797 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/09/16 20:07:19 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2005/09/16 20:06:08 | 000,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2005/09/16 20:06:04 | 000,000,816 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2005/09/08 14:04:27 | 000,000,398 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2005/09/06 21:03:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/06 16:15:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/08/15 15:50:05 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Application Data\PFP120JPR.{PB
[2005/08/15 15:50:05 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Application Data\PFP120JCM.{PB
[2005/07/23 23:48:51 | 000,046,592 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/18 19:43:47 | 000,000,310 | ---- | C] () -- C:\Documents and Settings\Rick Crist\convert.log
[2005/07/18 19:43:34 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\Rick Crist\NTUSER.DAT
[2005/07/18 19:43:34 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Rick Crist\ntuser.dat.LOG
[2005/07/18 19:43:34 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Rick Crist\ntuser.ini
[2005/07/18 19:42:38 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/07/18 19:42:38 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/07/06 22:33:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/07/06 22:22:36 | 000,000,444 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/06 22:13:20 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/07/06 21:48:56 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/07/06 21:47:58 | 000,000,372 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/28 00:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 00:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 00:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2004/08/11 18:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/02/10 16:08:00 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini
[2002/11/13 16:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll
[2002/10/06 14:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/04 19:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002/10/04 19:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/04 19:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\Ogg.dll
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Custom Scans ==========


< %appdata%\*.exe >

< %systemroot%\system32\*.dll /lockedfiles >
[2005/03/15 16:56:08 | 000,089,088 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\atl71.dll
[237 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >
[2007/02/28 20:05:43 | 004,322,304 | ---- | M] () -- C:\aawsepersonal.exe
[2006/01/07 11:14:24 | 000,688,128 | ---- | M] (University of British Columbia) -- C:\autostitch.exe
[2005/08/07 16:10:14 | 000,016,384 | ---- | M] ( ) -- C:\auxsetup.exe
[2008/12/17 22:17:52 | 001,754,496 | ---- | M] () -- C:\BitTorrent-6.1.2.exe
[2009/02/17 19:44:47 | 000,925,592 | ---- | M] (Piriform Ltd) -- C:\ccsetup216_slim.exe
[2008/05/10 16:29:01 | 055,582,759 | ---- | M] () -- C:\Fold It!.exe
[2010/04/08 20:50:23 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\HitmanPro35.exe
[2008/04/09 21:22:17 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2010/04/08 19:59:20 | 016,883,056 | ---- | M] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-ENU.exe
[2006/07/08 21:26:22 | 001,355,912 | ---- | M] () -- C:\install_flash_player.exe
[2005/09/16 19:55:59 | 042,057,332 | ---- | M] (Logitech, Inc. ) -- C:\is730enu.exe
[2009/02/17 21:21:25 | 002,876,728 | ---- | M] (Malwarebytes Corporation ) -- C:\mb.exe
[2006/07/08 20:30:55 | 004,849,080 | ---- | M] (Opera Software ASA ) -- C:\Opera 9 Eng Setup.exe
[2009/11/23 21:05:15 | 009,306,504 | ---- | M] (Opera Software ASA ) -- C:\Opera_1010_en_Setup.exe
[2010/03/14 12:17:53 | 010,051,096 | ---- | M] (Opera Software ASA ) -- C:\Opera_1050_en_Setup.exe
[2008/04/23 16:31:29 | 004,931,320 | ---- | M] (Opera Software ASA ) -- C:\Opera_9.27_Eng_Setup.exe
[2009/07/09 16:13:40 | 005,529,301 | ---- | M] () -- C:\Setup-SopCast-3.2.4-2009-7-9.exe
[2007/01/23 20:17:37 | 013,326,120 | ---- | M] () -- C:\setupeng.exe
[2009/02/17 19:59:49 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\spybotsd162.exe
[2009/02/17 21:17:21 | 006,006,816 | ---- | M] () -- C:\SUPERAntiSpyware.exe
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\TDSSKiller.exe
[2005/08/07 16:11:18 | 000,007,738 | ---- | M] ( ) -- C:\vdub.exe
[2005/08/07 16:13:28 | 000,736,768 | ---- | M] () -- C:\VirtualDub.exe


< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/11/07 23:53:43 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2010/04/08 22:40:10 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/04/09 04:38:07 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: BEEP.SYS >
[2004/08/04 06:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\i386\beep.sys
[2004/08/04 06:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys
[2004/08/04 06:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 06:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\i386\proquota.exe
[2004/08/04 06:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\system32\proquota.exe
[2008/04/13 20:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< MD5 for: SFCFILES.DLL >
[2004/08/04 06:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\i386\sfcfiles.dll
[2004/08/04 06:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\ERDNT\cache\sfcfiles.dll
[2004/08/04 06:00:00 | 001,580,544 | ---- | M] (Microsoft Corporation) MD5=30A609E00BD1D4FFC49D6B5A432BE7F2 -- C:\WINDOWS\system32\sfcfiles.dll
[2008/04/13 20:12:05 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sfcfiles.dll
< End of report >

Edited by syler, 10 April 2010 - 09:01 AM.
remove duplicate log


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 10 April 2010 - 09:05 AM

Hi ricker2005,

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O3 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - HKU\S-1-5-21-3980743763-604523156-809557890-1005..\Run: [WebCamRT.exe] File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
    O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
    O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
    O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
    O37 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found
    [2010/04/06 01:59:53 | 000,012,238 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\K6sEH5Ir2Is
    [2010/04/06 01:59:53 | 000,012,238 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
    [2010/04/06 00:57:36 | 000,012,276 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\847287338
    [2010/04/06 00:57:36 | 000,012,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2471283965
    [2010/04/06 00:57:30 | 000,012,266 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\2471283965
    [2010/04/06 00:16:53 | 000,012,306 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\847287338
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\System32\drivers\dpm6b1c.sys

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/


Then please post back here with the following logs:
  • OTL results
  • New OTL log
  • Virutotal link

Thanks

unite.jpg


#5 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 April 2010 - 12:19 PM

Here are the new logs. Thanks again for the help.


All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3980743763-604523156-809557890-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-3980743763-604523156-809557890-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-3980743763-604523156-809557890-1005\Software\Microsoft\Windows\CurrentVersion\Run\\WebCamRT.exe deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\shell\open\command\\|"%1" %* /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\.DEFAULT_Classes\.exe\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18_Classes\.exe\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3980743763-604523156-809557890-1005_Classes\.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Documents and Settings\Rick Crist\Local Settings\Application Data\K6sEH5Ir2Is moved successfully.
C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is moved successfully.
C:\Documents and Settings\Rick Crist\Local Settings\Application Data\847287338 moved successfully.
C:\Documents and Settings\All Users\Application Data\2471283965 moved successfully.
C:\Documents and Settings\Rick Crist\Local Settings\Application Data\2471283965 moved successfully.
C:\Documents and Settings\All Users\Application Data\847287338 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49701532 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 9594 bytes

User: Rick Crist
->Temp folder emptied: 95740 bytes
->Temporary Internet Files folder emptied: 65670 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 59021341 bytes
->Google Chrome cache emptied: 819568 bytes
->Opera cache emptied: 3160859 bytes
->Flash cache emptied: 1534 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1053297 bytes
%systemroot%\System32 .tmp files removed: 65634742 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 171.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Rick Crist
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.1.1 log created on 04102010_130142

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_150.dat moved successfully.

Registry entries deleted on Reboot...



OTL logfile created on: 4/10/2010 1:07:49 PM - Run 2
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Rick Crist\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 540.00 Mb Available Physical Memory | 53.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 89.05 Gb Total Space | 55.36 Gb Free Space | 62.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RICHARDCRIST
Current User Name: Rick Crist
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/09 20:47:18 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
PRC - [2010/02/25 22:59:43 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/24 19:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/05/19 01:23:16 | 000,049,968 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe
PRC - [2008/11/06 13:33:00 | 000,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aolsoftware.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/02/21 11:19:58 | 000,819,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/02/21 11:17:42 | 000,970,752 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/02/21 11:13:26 | 000,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/09/13 17:33:20 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 15:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2003/10/29 04:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/04/09 20:47:18 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 19:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/02/21 11:28:36 | 000,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/02/21 11:19:40 | 000,294,912 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/02/21 11:16:48 | 000,983,040 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/02/21 11:10:00 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2002/03/15 16:37:46 | 000,081,920 | R--- | M] (HP) [Disabled | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/11/24 19:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 19:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 19:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 19:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 19:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 19:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/08 13:41:49 | 000,045,344 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\dpm6b1c.sys -- (dpm6b1c)
DRV - [2007/05/18 16:54:10 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2007/02/21 11:16:12 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/02/08 13:51:16 | 002,209,408 | ---- | M] (IntelŪ Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/09/28 19:55:50 | 000,077,568 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\WudfPf.sys -- (WudfPf)
DRV - [2005/03/10 23:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/12/06 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 02:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 02:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 02:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/04 04:34:26 | 000,800,768 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/12/01 04:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 03:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/11/16 17:03:52 | 000,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/07/14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/30 10:39:36 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | On_Demand | Running] -- C:\Program Files\Dell\NicConfigSvc\Appdrv.sys -- (Appdrv)
DRV - [2004/06/17 21:57:02 | 000,200,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/06/17 21:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/17 21:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/26 21:18:18 | 000,044,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2004/02/13 17:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2002/06/10 14:16:34 | 000,371,766 | ---- | M] (Philips Semiconductors) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CamDrL21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pulse.jefferson.edu/
IE - HKU\S-1-5-21-3980743763-604523156-809557890-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/25 23:00:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/08 21:49:57 | 000,000,000 | ---D | M]

[2009/01/31 17:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick Crist\Application Data\Mozilla\Extensions
[2010/04/09 20:48:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\extensions
[2009/04/08 19:15:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\extensions\moveplayer@movenetworks.com
[2010/04/09 20:48:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/04/05 00:05:29 | 000,000,027 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKU\S-1-5-21-3980743763-604523156-809557890-1005..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\S-1-5-21-3980743763-604523156-809557890-1005..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3980743763-604523156-809557890-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.106.1.196 65.106.7.196
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {88485281-8b4b-4f8d-9ede-82e29a064277} - C:\Program Files\MarkAny\ContentSafer\MACSMANAGER.dll (MarkAny Cooperation.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/01/07 11:14:24 | 000,688,128 | ---- | M] (University of British Columbia) - C:\autostitch.exe -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/10 13:02:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/10 13:01:42 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/10 12:39:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/04/10 12:32:09 | 000,157,696 | ---- | C] (The RaProducts Team: Paul McLain and Fred de Vries) -- C:\Documents and Settings\Rick Crist\Desktop\JavaRa.exe
[2010/04/10 08:17:02 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010/04/10 08:17:02 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010/04/10 08:17:01 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010/04/09 20:47:16 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
[2010/04/08 21:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/08 21:49:57 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/08 21:49:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/08 21:49:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/08 21:49:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/08 21:49:57 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/08 21:09:54 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/08 20:50:45 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/08 20:50:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/08 20:50:11 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\HitmanPro35.exe
[2010/04/08 20:44:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/08 20:26:34 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rick Crist\PrivacIE
[2010/04/08 20:19:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rick Crist\IETldCache
[2010/04/08 20:10:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2010/04/08 20:08:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/04/08 20:08:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2010/04/08 19:58:34 | 016,883,056 | ---- | C] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-ENU.exe
[2010/04/08 19:28:11 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Rick Crist\Desktop\TDSSKiller.exe
[2010/04/06 01:09:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rick Crist\Recent
[2010/04/06 00:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/06 00:12:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/06 00:12:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/05 19:52:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/05 19:51:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/04 23:53:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/04 23:53:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/04 23:53:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/04 23:53:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/04 23:53:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/04 23:52:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/04 21:56:16 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\TDSSKiller.exe
[2010/04/03 08:57:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/21 21:23:34 | 000,000,000 | ---D | C] -- C:\Program Files\Veetle
[2010/03/21 21:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick Crist\Desktop\Downloads
[2010/03/20 23:38:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\Temp
[2010/03/20 23:38:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\Google
[2010/03/14 12:17:01 | 010,051,096 | ---- | C] (Opera Software ASA ) -- C:\Opera_1050_en_Setup.exe
[2008/12/27 12:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/11/09 18:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Intel
[2008/07/05 11:02:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/09/17 14:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2005/09/17 14:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2004/08/11 18:20:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/08/11 18:06:56 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/04/10 13:03:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/10 13:03:21 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/04/10 13:03:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/10 13:03:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/10 13:03:02 | 1073,180,672 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/10 13:02:15 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Rick Crist\NTUSER.DAT
[2010/04/10 13:02:15 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Rick Crist\ntuser.ini
[2010/04/10 12:39:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/10 12:37:22 | 007,331,948 | -H-- | M] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\IconCache.db
[2010/04/10 11:43:05 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005UA.job
[2010/04/09 23:43:00 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005Core.job
[2010/04/09 20:47:18 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick Crist\Desktop\OTL.exe
[2010/04/08 23:17:05 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/08 21:49:15 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/08 21:49:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/08 21:49:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/08 21:49:15 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/08 21:49:14 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/08 21:09:54 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/08 21:04:30 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/08 20:50:23 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\HitmanPro35.exe
[2010/04/08 19:59:20 | 016,883,056 | ---- | M] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-ENU.exe
[2010/04/08 19:59:20 | 000,002,323 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\Google Chrome.lnk
[2010/04/08 19:26:38 | 003,909,898 | R--- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\billy.exe
[2010/04/05 23:56:33 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\dds.scr
[2010/04/05 23:55:16 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rick Crist\defogger_reenable
[2010/04/05 23:54:43 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\Defogger.exe
[2010/04/05 19:53:00 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/05 18:41:20 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Rick Crist\Desktop\r0i9ftvs.exe
[2010/04/05 00:05:29 | 000,000,027 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/03 09:21:51 | 000,870,128 | ---- | M] () -- C:\WINDOWS\System32\mcs.rma
[2010/04/03 09:21:51 | 000,000,004 | ---- | M] () -- C:\WINDOWS\System32\1E2147
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/23 07:32:35 | 000,382,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/23 07:32:35 | 000,053,838 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/23 07:32:33 | 000,441,626 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\TDSSKiller.exe
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Rick Crist\Desktop\TDSSKiller.exe
[2010/03/21 20:55:33 | 000,004,365 | ---- | M] () -- C:\bookmarks.htm
[2010/03/14 12:17:53 | 010,051,096 | ---- | M] (Opera Software ASA ) -- C:\Opera_1050_en_Setup.exe
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== Files Created - No Company Name ==========

[2010/04/10 12:32:09 | 000,245,103 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\JavaRa.def
[2010/04/08 20:59:54 | 1073,180,672 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/08 20:50:54 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/08 20:10:15 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/04/08 19:26:37 | 003,909,898 | R--- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\billy.exe
[2010/04/06 00:13:30 | 000,013,678 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/05 23:56:32 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\dds.scr
[2010/04/05 23:55:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rick Crist\defogger_reenable
[2010/04/05 23:54:42 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\Defogger.exe
[2010/04/05 19:53:00 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/05 19:52:56 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/05 18:41:18 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\r0i9ftvs.exe
[2010/04/04 23:53:33 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 23:53:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/04 23:53:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/04 23:53:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 23:53:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/21 20:55:33 | 000,004,365 | ---- | C] () -- C:\bookmarks.htm
[2010/03/20 23:44:17 | 000,002,323 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Desktop\Google Chrome.lnk
[2010/03/20 23:38:29 | 000,000,998 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005UA.job
[2010/03/20 23:38:28 | 000,000,946 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005Core.job
[2009/09/06 11:46:06 | 000,045,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\dpm6b1c.sys
[2009/03/28 15:25:29 | 000,000,225 | ---- | C] () -- C:\WINDOWS\AndreaMosaic.INI
[2006/12/09 20:39:29 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/09/28 19:55:50 | 000,077,568 | ---- | C] () -- C:\WINDOWS\System32\drivers\WudfPf.sys
[2006/09/05 20:00:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rick Crist\.cachedpedigree.xml
[2006/06/11 20:25:28 | 000,000,643 | ---- | C] () -- C:\WINDOWS\tlknw20.ini
[2006/05/05 16:55:05 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/10 13:38:22 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2005/12/10 13:38:18 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2005/12/10 13:29:37 | 000,552,960 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2005/11/23 20:18:29 | 000,000,092 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/10/13 23:11:24 | 000,000,797 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/09/16 20:07:19 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2005/09/16 20:06:08 | 000,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2005/09/16 20:06:04 | 000,000,816 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2005/09/08 14:04:27 | 000,000,398 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2005/09/06 21:03:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/06 16:15:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/08/15 15:50:05 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Application Data\PFP120JPR.{PB
[2005/08/15 15:50:05 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Application Data\PFP120JCM.{PB
[2005/07/23 23:48:51 | 000,046,592 | ---- | C] () -- C:\Documents and Settings\Rick Crist\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/18 19:43:47 | 000,000,310 | ---- | C] () -- C:\Documents and Settings\Rick Crist\convert.log
[2005/07/18 19:43:34 | 006,291,456 | -H-- | C] () -- C:\Documents and Settings\Rick Crist\NTUSER.DAT
[2005/07/18 19:43:34 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Rick Crist\ntuser.dat.LOG
[2005/07/18 19:43:34 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Rick Crist\ntuser.ini
[2005/07/18 19:42:38 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2005/07/18 19:42:38 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2005/07/06 22:33:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/07/06 22:22:36 | 000,000,444 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/06 22:13:20 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/07/06 21:48:56 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/07/06 21:47:58 | 000,000,372 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/28 00:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 00:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 00:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2004/08/11 18:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/02/10 16:08:00 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini
[2002/11/13 16:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll
[2002/10/06 14:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/04 19:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002/10/04 19:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/04 19:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\Ogg.dll
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
< End of report >


And the link to the VirusTotal scan:

http://www.virustotal.com/analisis/513e6b7...fa81-1270919726

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 10 April 2010 - 12:42 PM

I don't like the look of that file, let's try renaming it and see if it causes any problems.
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c ren C:\WINDOWS\System32\drivers\dpm6b1c.sys dpm6b1c.bak
  • This will rename the suspicious file, once done do a reboot.

Once rebooted let me know if you get any problems. if you do we will put the file back, if not we will remove it and go on with cleaning.

Thanks

unite.jpg


#7 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 April 2010 - 12:55 PM

I changed the file name and rebooted. No obvious changes so far.

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 10 April 2010 - 01:09 PM

Ok we will remove it then if you continue to have no problems, please do this next.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#9 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 April 2010 - 02:09 PM

So when I was looking at your last post, I got a few fake "Windows security center" and "XP Internet Security" popups telling me to buy an anti-spyware program. So I ran Spybot and deleted the three things it found before I ran ComboFix. Here's the ComboFix log.

ComboFix 10-04-07.04 - Rick Crist 04/10/2010 14:48:24.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.486 [GMT -4:00]
Running from: c:\documents and settings\Rick Crist\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100410-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\documents and settings\Rick Crist\Local Settings\Application Data\ave.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 18:37 . 2010-04-10 18:37 182272 --sha-w- c:\documents and settings\Rick Crist\Local Settings\Application Data\2747461249.dll
2010-04-10 17:14 . 2010-04-10 17:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 17:01 . 2010-04-10 17:01 -------- d-----w- C:\_OTL
2010-04-10 16:39 . 2010-04-10 16:40 -------- d-----w- c:\windows\ie8updates
2010-04-10 12:17 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-10 12:17 . 2010-02-25 06:24 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-10 12:17 . 2010-02-25 06:24 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-10 12:17 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-10 12:17 . 2010-02-25 06:24 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-04-09 01:50 . 2010-04-09 01:50 503808 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6c9dff03-n\msvcp71.dll
2010-04-09 01:50 . 2010-04-09 01:50 499712 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6c9dff03-n\jmc.dll
2010-04-09 01:50 . 2010-04-09 01:50 348160 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6c9dff03-n\msvcr71.dll
2010-04-09 01:50 . 2010-04-09 01:50 61440 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5760ffb7-n\decora-sse.dll
2010-04-09 01:50 . 2010-04-09 01:50 12800 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5760ffb7-n\decora-d3d.dll
2010-04-09 01:49 . 2010-04-09 01:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-09 01:09 . 2010-04-09 01:09 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 00:50 . 2010-04-09 01:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 00:50 . 2010-04-09 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-09 00:50 . 2010-04-09 00:50 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 00:50 . 2010-04-09 00:50 5650240 ----a-w- C:\HitmanPro35.exe
2010-04-09 00:44 . 2010-04-09 00:44 -------- d-----w- c:\program files\ESET
2010-04-09 00:26 . 2010-04-09 00:26 -------- d-sh--w- c:\documents and settings\Rick Crist\PrivacIE
2010-04-09 00:21 . 2010-04-09 00:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 00:19 . 2010-04-09 00:19 -------- d-sh--w- c:\documents and settings\Rick Crist\IETldCache
2010-04-09 00:08 . 2010-04-09 00:10 -------- dc-h--w- c:\windows\ie8
2010-04-08 23:58 . 2010-04-08 23:59 16883056 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe
2010-04-06 04:12 . 2010-04-10 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-05 01:56 . 2010-03-22 14:43 178000 ----a-w- C:\TDSSKiller.exe
2010-03-22 01:23 . 2010-03-22 01:24 -------- d-----w- c:\program files\Veetle
2010-03-21 03:38 . 2010-04-08 23:59 -------- d-----w- c:\documents and settings\Rick Crist\Local Settings\Application Data\Temp
2010-03-21 03:38 . 2010-03-21 03:42 -------- d-----w- c:\documents and settings\Rick Crist\Local Settings\Application Data\Google
2010-03-14 16:17 . 2010-03-14 16:17 10051096 ----a-w- C:\Opera_1050_en_Setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 16:35 . 2005-07-07 02:08 -------- d-----w- c:\program files\Java
2010-04-09 08:38 . 2009-11-08 03:54 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-09 01:50 . 2005-07-07 02:08 -------- d-----w- c:\program files\Common Files\Java
2010-04-06 05:12 . 2009-02-18 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 14:55 . 2009-02-18 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 14:55 . 2009-09-09 02:18 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 . 2009-02-18 01:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-02-18 01:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 01:33 . 2005-07-07 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 16:18 . 2005-07-19 03:29 -------- d-----w- c:\program files\Opera
2010-02-25 06:24 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-18 12:39 . 2010-02-18 12:39 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((( SnapShot_2010-04-09_03.17.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-10 18:42 . 2010-04-10 18:42 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
+ 2010-04-10 18:42 . 2010-04-10 18:42 16384 c:\windows\Temp\Perflib_Perfdata_140.dat
- 2009-03-08 08:31 . 2009-03-08 08:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 08:31 . 2010-02-25 06:24 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll
- 2004-08-11 22:00 . 2009-03-08 08:33 25600 c:\windows\system32\jsproxy.dll
+ 2009-11-08 03:54 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-11-08 03:54 . 2009-03-08 08:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-04-10 16:39 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-04-10 16:39 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-04-10 16:39 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll
- 2004-08-11 22:00 . 2009-03-08 08:32 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 08:32 . 2010-02-25 06:24 594432 c:\windows\system32\msfeeds.dll
- 2009-03-08 08:32 . 2009-03-08 08:32 594432 c:\windows\system32\msfeeds.dll
- 2004-08-11 22:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2004-08-11 22:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 184320 c:\windows\system32\iepeers.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-11 22:00 . 2009-03-08 08:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-11 22:00 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe
+ 2009-11-08 03:54 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 08:34 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll
- 2009-11-08 03:54 . 2009-03-08 08:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-11-08 03:54 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-11-08 03:54 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-11-08 03:54 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-11-08 03:54 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 18:09 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 08:32 . 2009-03-08 08:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 08:32 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-10 16:39 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-04-10 16:39 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-04-10 16:39 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-04-10 16:39 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-04-10 16:39 . 2009-03-08 08:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-04-10 16:39 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-04-10 16:39 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-04-10 16:39 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-04-10 16:39 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-04-10 16:39 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2010-04-10 16:40 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-04-10 16:40 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-04-10 16:40 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-04-10 16:39 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-04-10 16:39 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-04-10 16:39 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 1209344 c:\windows\system32\urlmon.dll
+ 2004-08-11 22:00 . 2010-02-25 06:24 5944832 c:\windows\system32\mshtml.dll
+ 2009-03-08 08:32 . 2010-02-25 06:24 1985536 c:\windows\system32\iertutil.dll
+ 2009-11-08 03:54 . 2010-02-25 06:24 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2009-11-08 03:54 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\mshtml.dll
+ 2010-04-10 16:39 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB980182-IE8\urlmon.dll
+ 2010-04-10 16:39 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB980182-IE8\mshtml.dll
+ 2010-04-10 16:39 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB980182-IE8\iertutil.dll
+ 2009-03-08 08:39 . 2010-02-25 15:54 11070976 c:\windows\system32\ieframe.dll
+ 2010-02-25 15:54 . 2010-02-25 15:54 11070976 c:\windows\system32\dllcache\ieframe.dll
+ 2010-04-10 16:39 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB980182-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2008-04-10 396288]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-6 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/9/2009 11:27 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/9/2009 11:27 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/27/2009 9:07 PM 24652]
S0 dpm6b1c;dpm6b1c;\SystemRoot\\SystemRoot\System32\drivers\dpm6b1c.sys --> \SystemRoot\\SystemRoot\System32\drivers\dpm6b1c.sys [?]
S1 80708658.sys;80708658.sys;\??\c:\windows\System32\drivers\80708658.sys --> c:\windows\System32\drivers\80708658.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005Core.job
- c:\documents and settings\Rick Crist\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 03:38]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005UA.job
- c:\documents and settings\Rick Crist\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 03:38]

2005-11-11 c:\windows\Tasks\sonicrush1_sub_highres.job
- c:\documents and settings\Rick Crist\My Documents\sonicrush1_sub_highres.mov [2005-08-23 17:14]

2010-04-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://pulse.jefferson.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Rick Crist\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 14:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x870B3AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf761ffc3
\Driver\ACPI -> ACPI.sys @ 0xf74b2cb8
\Driver\atapi -> atapi.sys @ 0xf74267b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf730aba0
PacketIndicateHandler -> NDIS.sys @ 0xf72f9a0b
SendHandler -> NDIS.sys @ 0xf730db31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-10 15:03:11
ComboFix-quarantined-files.txt 2010-04-10 19:03
ComboFix2.txt 2010-04-09 03:21
ComboFix3.txt 2010-04-08 23:43
ComboFix4.txt 2010-04-06 00:04
ComboFix5.txt 2010-04-10 18:46

Pre-Run: 59,345,317,888 bytes free
Post-Run: 59,303,362,560 bytes free

- - End Of File - - BA73479ABED623E31BD599093408149F


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 10 April 2010 - 03:35 PM

Theirs no need to run any other scanners at the moment, please just run the scans I ask for, thanks.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/307553/google-redirect-tdss-rootkit-infection/

Collect::
C:\WINDOWS\System32\drivers\dpm6b1c.bak
FCopy::
C:\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
Driver::
dpm6b1c
80708658.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#11 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 11 April 2010 - 01:10 AM

Here's the new log.

ComboFix 10-04-07.04 - Rick Crist 04/11/2010 1:46.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.351 [GMT -4:00]
Running from: c:\documents and settings\Rick Crist\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rick Crist\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 100410-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\System32\drivers\dpm6b1c.bak
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\dpm6b1c.bak

.
--------------- FCopy ---------------

c:\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_80708658.sys
-------\Service_dpm6b1c


((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 18:37 . 2010-04-10 18:37 182272 --sha-w- c:\documents and settings\Rick Crist\Local Settings\Application Data\2747461249.dll
2010-04-10 17:14 . 2010-04-10 17:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 17:01 . 2010-04-10 17:01 -------- d-----w- C:\_OTL
2010-04-10 16:39 . 2010-04-10 16:40 -------- d-----w- c:\windows\ie8updates
2010-04-10 12:17 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-10 12:17 . 2010-02-25 06:24 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-10 12:17 . 2010-02-25 06:24 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-10 12:17 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-10 12:17 . 2010-02-25 06:24 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-04-09 01:50 . 2010-04-09 01:50 503808 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6c9dff03-n\msvcp71.dll
2010-04-09 01:50 . 2010-04-09 01:50 499712 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6c9dff03-n\jmc.dll
2010-04-09 01:50 . 2010-04-09 01:50 348160 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6c9dff03-n\msvcr71.dll
2010-04-09 01:50 . 2010-04-09 01:50 61440 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5760ffb7-n\decora-sse.dll
2010-04-09 01:50 . 2010-04-09 01:50 12800 ----a-w- c:\documents and settings\Rick Crist\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5760ffb7-n\decora-d3d.dll
2010-04-09 01:49 . 2010-04-09 01:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-09 01:09 . 2010-04-09 01:09 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-09 00:50 . 2010-04-09 01:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 00:50 . 2010-04-09 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-09 00:50 . 2010-04-09 00:50 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-09 00:50 . 2010-04-09 00:50 5650240 ----a-w- C:\HitmanPro35.exe
2010-04-09 00:44 . 2010-04-09 00:44 -------- d-----w- c:\program files\ESET
2010-04-09 00:26 . 2010-04-09 00:26 -------- d-sh--w- c:\documents and settings\Rick Crist\PrivacIE
2010-04-09 00:21 . 2010-04-09 00:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 00:19 . 2010-04-09 00:19 -------- d-sh--w- c:\documents and settings\Rick Crist\IETldCache
2010-04-09 00:08 . 2010-04-09 00:10 -------- dc-h--w- c:\windows\ie8
2010-04-08 23:58 . 2010-04-08 23:59 16883056 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe
2010-04-06 04:12 . 2010-04-10 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-05 01:56 . 2010-03-22 14:43 178000 ----a-w- C:\TDSSKiller.exe
2010-03-22 01:23 . 2010-03-22 01:24 -------- d-----w- c:\program files\Veetle
2010-03-21 03:38 . 2010-04-08 23:59 -------- d-----w- c:\documents and settings\Rick Crist\Local Settings\Application Data\Temp
2010-03-21 03:38 . 2010-03-21 03:42 -------- d-----w- c:\documents and settings\Rick Crist\Local Settings\Application Data\Google
2010-03-14 16:17 . 2010-03-14 16:17 10051096 ----a-w- C:\Opera_1050_en_Setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 16:35 . 2005-07-07 02:08 -------- d-----w- c:\program files\Java
2010-04-09 01:50 . 2005-07-07 02:08 -------- d-----w- c:\program files\Common Files\Java
2010-04-06 05:12 . 2009-02-18 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-03 14:55 . 2009-02-18 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 14:55 . 2009-09-09 02:18 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 . 2009-02-18 01:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-02-18 01:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 01:33 . 2005-07-07 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 16:18 . 2005-07-19 03:29 -------- d-----w- c:\program files\Opera
2010-02-25 06:24 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-18 12:39 . 2010-02-18 12:39 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2008-04-10 396288]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-7-6 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/9/2009 11:27 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/9/2009 11:27 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/27/2009 9:07 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005Core.job
- c:\documents and settings\Rick Crist\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 03:38]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980743763-604523156-809557890-1005UA.job
- c:\documents and settings\Rick Crist\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-21 03:38]

2005-11-11 c:\windows\Tasks\sonicrush1_sub_highres.job
- c:\documents and settings\Rick Crist\My Documents\sonicrush1_sub_highres.mov [2005-08-23 17:14]

2010-04-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://pulse.jefferson.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\documents and settings\Rick Crist\Application Data\Mozilla\Firefox\Profiles\7ks8e642.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Rick Crist\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 01:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86EBDAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7658fc3
\Driver\ACPI -> ACPI.sys @ 0xf74ebcb8
\Driver\atapi -> atapi.sys @ 0xf745f7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7343ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7332a0b
SendHandler -> NDIS.sys @ 0xf7346b31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(904)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\Apntex.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-04-11 02:07:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 06:07
ComboFix2.txt 2010-04-10 19:03
ComboFix3.txt 2010-04-09 03:21
ComboFix4.txt 2010-04-08 23:43
ComboFix5.txt 2010-04-11 05:44

Pre-Run: 59,250,638,848 bytes free
Post-Run: 59,221,999,616 bytes free

- - End Of File - - 468160205F01A50626C33B9601062A34


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 11 April 2010 - 12:30 PM

Please see this topic and follow the instructions to disable your CD Emulation programs using DeFogger.


Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Files to move:
c:\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" when prompted to reboot.
  • Avenger will Restart your computer, after the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.



Please navigate to the following file, then copy and paste the contents in your reply

C:\QooBox\ComboFix-quarantined-files.txt


Then please post back here with the following logs:
  • avenger.txt
  • mbr.log
  • ComboFix-quarantined-files.txt

Thanks

unite.jpg


#13 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 11 April 2010 - 12:47 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\i386\atapi.sys|c:\windows\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870B6AC8]<<
kernel: MBR read successfully
user & kernel MBR OK


2010-04-11 05:54:14 . 2010-04-11 05:54:14 2,434 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_dpm6b1c.reg.dat
2010-04-11 05:54:13 . 2010-04-11 05:54:13 2,302 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_80708658.sys.reg.dat
2010-04-11 05:46:18 . 2010-04-11 05:46:20 45,288 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-04-11_01.46.12.zip
2010-04-10 18:00:42 . 2010-04-10 18:00:42 182,272 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Rick Crist\Local Settings\Application Data\ave.exe.vir
2010-04-10 18:00:23 . 2010-04-10 18:00:23 182,272 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir
2010-04-05 04:54:25 . 2010-04-05 04:54:25 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-klmdb.sys.reg.dat
2010-04-05 04:11:28 . 2010-04-05 04:11:28 98 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-WebCamRT.exe.reg.dat
2010-04-05 04:01:19 . 2010-04-11 05:53:39 8,434 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-04-05 03:53:20 . 2010-04-11 05:42:49 357 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-11-08 03:54:09 . 2010-04-09 08:38:07 95,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
2009-09-06 15:46:06 . 2009-09-08 17:41:49 45,344 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\dpm6b1c.bak.vir
2008-12-27 16:07:45 . 2006-04-11 14:03:44 163,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\muzapp.exe.vir
2008-04-10 01:38:49 . 2008-04-10 01:38:49 6 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\reboot.txt.vir
2007-11-20 22:13:39 . 2006-10-04 14:05:26 39,424 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\AppPatch\acadproc.dll.vir
2004-08-11 22:12:54 . 2004-08-04 10:00:00 382,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003426_.tmp.dll.vir
2004-08-11 22:00:43 . 2004-08-04 10:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003425_.tmp.dll.vir
2004-08-11 22:00:38 . 2009-06-10 06:32:40 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003365_.tmp.dll.vir
2004-08-11 22:00:38 . 2004-08-04 10:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003366_.tmp.dll.vir
2004-08-11 22:00:37 . 2004-08-04 10:00:00 101,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003367_.tmp.dll.vir
2004-08-11 22:00:37 . 2009-04-17 09:58:57 1,846,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003368_.tmp.dll.vir
2004-08-11 22:00:34 . 2004-12-07 19:32:34 96,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003375_.tmp.dll.vir
2004-08-11 22:00:31 . 2004-08-04 10:00:00 22,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003376_.tmp.dll.vir
2004-08-11 22:00:31 . 2004-08-04 10:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003377_.tmp.dll.vir
2004-08-11 22:00:30 . 2004-08-04 10:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003378_.tmp.dll.vir
2004-08-11 22:00:30 . 2009-02-06 17:14:03 110,592 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003380_.tmp.dll.vir
2004-08-11 22:00:30 . 2009-06-25 08:44:41 168,448 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003381_.tmp.dll.vir
2004-08-11 22:00:30 . 2004-08-04 10:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003384_.tmp.dll.vir
2004-08-11 22:00:30 . 2004-08-04 10:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003385_.tmp.dll.vir
2004-08-11 22:00:29 . 2004-08-04 10:00:00 58,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003387_.tmp.dll.vir
2004-08-11 22:00:29 . 2004-08-04 10:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003388_.tmp.dll.vir
2004-08-11 22:00:29 . 2004-08-04 10:00:00 657,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003389_.tmp.dll.vir
2004-08-11 22:00:29 . 2004-08-04 10:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003391_.tmp.dll.vir
2004-08-11 22:00:27 . 2005-07-26 04:39:49 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003394_.tmp.dll.vir
2004-08-11 22:00:27 . 2007-12-04 18:38:13 550,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003395_.tmp.dll.vir
2004-08-11 22:00:25 . 2004-08-04 10:00:00 8,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003399_.tmp.dll.vir
2004-08-11 22:00:25 . 2009-02-09 10:20:33 714,752 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003400_.tmp.dll.vir
2004-08-11 22:00:23 . 2009-09-11 14:33:52 133,632 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003402_.tmp.dll.vir
2004-08-11 22:00:18 . 2009-06-25 08:44:41 724,480 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003405_.tmp.dll.vir
2004-08-11 22:00:18 . 2009-05-07 15:44:00 344,064 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003407_.tmp.dll.vir
2004-08-11 22:00:18 . 2004-08-04 10:00:00 249,270 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003408_.tmp.dll.vir
2004-08-11 22:00:18 . 2004-08-04 10:00:00 13,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003409_.tmp.dll.vir
2004-08-11 22:00:18 . 2009-03-21 14:18:57 986,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003410_.tmp.dll.vir
2004-08-11 22:00:17 . 2004-08-04 10:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003411_.tmp.dll.vir
2004-08-11 22:00:04 . 2006-05-19 12:59:41 111,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003414_.tmp.dll.vir
2004-08-11 22:00:04 . 2004-08-04 10:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003415_.tmp.dll.vir
2004-08-11 22:00:04 . 2004-08-04 10:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003416_.tmp.dll.vir
2004-08-11 22:00:03 . 2004-08-04 10:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003417_.tmp.dll.vir
2004-08-11 22:00:03 . 2006-08-25 15:45:58 617,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003418_.tmp.dll.vir
2004-08-11 22:00:00 . 2009-02-09 10:20:33 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_003423_.tmp.dll.vir
2000-10-27 22:23:18 . 2000-10-27 22:23:18 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\BSZIP.DLL.vir


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:47 AM

Posted 11 April 2010 - 01:39 PM

Go to the Malware Upload Channel and upload the following file.
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
url here
  • Then click "Browse" on the line below and navigate to the following file:
C:\Qoobox\Quarantine\[4]-Submit_2010-04-11_01.46.12.zip
  • Click Send File


  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Double click on TDSSKiller.exe to run it.
  • If it finds something and asks you what to do, follow the instructions to type in "delete".
  • When done, a log file should be created on your C: drive called TDSSKiller.txt(with time+date appended) please post this log in your next reply.

unite.jpg


#15 ricker2005

ricker2005
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 11 April 2010 - 01:51 PM

I uploaded the file. Here's the log for TDSSkiller.

14:45:40:296 2400 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:45:40:296 2400 ================================================================================
14:45:40:296 2400 SystemInfo:

14:45:40:296 2400 OS Version: 5.1.2600 ServicePack: 2.0
14:45:40:296 2400 Product type: Workstation
14:45:40:296 2400 ComputerName: RICHARDCRIST
14:45:40:296 2400 UserName: Rick Crist
14:45:40:296 2400 Windows directory: C:\WINDOWS
14:45:40:296 2400 Processor architecture: Intel x86
14:45:40:296 2400 Number of processors: 1
14:45:40:296 2400 Page size: 0x1000
14:45:40:296 2400 Boot type: Normal boot
14:45:40:296 2400 ================================================================================
14:45:40:296 2400 UnloadDriverW: NtUnloadDriver error 2
14:45:40:296 2400 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:45:40:328 2400 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:45:40:343 2400 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:45:40:343 2400 wfopen_ex: Trying to KLMD file open
14:45:40:343 2400 wfopen_ex: File opened ok (Flags 2)
14:45:40:343 2400 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:45:40:343 2400 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:45:40:343 2400 wfopen_ex: Trying to KLMD file open
14:45:40:343 2400 wfopen_ex: File opened ok (Flags 2)
14:45:40:343 2400 Initialize success
14:45:40:343 2400
14:45:40:343 2400 Scanning Services ...
14:45:41:000 2400 Raw services enum returned 364 services
14:45:41:015 2400
14:45:41:015 2400 Scanning Kernel memory ...
14:45:41:015 2400 Devices to scan: 4
14:45:41:015 2400
14:45:41:015 2400 Driver Name: Disk
14:45:41:015 2400 IRP_MJ_CREATE : F7631C30
14:45:41:015 2400 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:45:41:015 2400 IRP_MJ_CLOSE : F7631C30
14:45:41:015 2400 IRP_MJ_READ : F762BD9B
14:45:41:015 2400 IRP_MJ_WRITE : F762BD9B
14:45:41:015 2400 IRP_MJ_QUERY_INFORMATION : 804F3418
14:45:41:015 2400 IRP_MJ_SET_INFORMATION : 804F3418
14:45:41:015 2400 IRP_MJ_QUERY_EA : 804F3418
14:45:41:015 2400 IRP_MJ_SET_EA : 804F3418
14:45:41:015 2400 IRP_MJ_FLUSH_BUFFERS : F762C366
14:45:41:015 2400 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:45:41:015 2400 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:45:41:015 2400 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:45:41:015 2400 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:45:41:015 2400 IRP_MJ_DEVICE_CONTROL : F762C44D
14:45:41:015 2400 IRP_MJ_INTERNAL_DEVICE_CONTROL : F762FFC3
14:45:41:015 2400 IRP_MJ_SHUTDOWN : F762C366
14:45:41:015 2400 IRP_MJ_LOCK_CONTROL : 804F3418
14:45:41:015 2400 IRP_MJ_CLEANUP : 804F3418
14:45:41:015 2400 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:45:41:015 2400 IRP_MJ_QUERY_SECURITY : 804F3418
14:45:41:015 2400 IRP_MJ_SET_SECURITY : 804F3418
14:45:41:015 2400 IRP_MJ_POWER : F762DEF3
14:45:41:015 2400 IRP_MJ_SYSTEM_CONTROL : F7632A24
14:45:41:015 2400 IRP_MJ_DEVICE_CHANGE : 804F3418
14:45:41:015 2400 IRP_MJ_QUERY_QUOTA : 804F3418
14:45:41:015 2400 IRP_MJ_SET_QUOTA : 804F3418
14:45:41:062 2400 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:45:41:062 2400
14:45:41:062 2400 Driver Name: Disk
14:45:41:062 2400 IRP_MJ_CREATE : F7631C30
14:45:41:062 2400 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:45:41:062 2400 IRP_MJ_CLOSE : F7631C30
14:45:41:062 2400 IRP_MJ_READ : F762BD9B
14:45:41:062 2400 IRP_MJ_WRITE : F762BD9B
14:45:41:062 2400 IRP_MJ_QUERY_INFORMATION : 804F3418
14:45:41:062 2400 IRP_MJ_SET_INFORMATION : 804F3418
14:45:41:062 2400 IRP_MJ_QUERY_EA : 804F3418
14:45:41:062 2400 IRP_MJ_SET_EA : 804F3418
14:45:41:062 2400 IRP_MJ_FLUSH_BUFFERS : F762C366
14:45:41:062 2400 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:45:41:062 2400 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:45:41:062 2400 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:45:41:062 2400 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:45:41:062 2400 IRP_MJ_DEVICE_CONTROL : F762C44D
14:45:41:062 2400 IRP_MJ_INTERNAL_DEVICE_CONTROL : F762FFC3
14:45:41:062 2400 IRP_MJ_SHUTDOWN : F762C366
14:45:41:062 2400 IRP_MJ_LOCK_CONTROL : 804F3418
14:45:41:062 2400 IRP_MJ_CLEANUP : 804F3418
14:45:41:062 2400 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:45:41:062 2400 IRP_MJ_QUERY_SECURITY : 804F3418
14:45:41:062 2400 IRP_MJ_SET_SECURITY : 804F3418
14:45:41:062 2400 IRP_MJ_POWER : F762DEF3
14:45:41:062 2400 IRP_MJ_SYSTEM_CONTROL : F7632A24
14:45:41:062 2400 IRP_MJ_DEVICE_CHANGE : 804F3418
14:45:41:062 2400 IRP_MJ_QUERY_QUOTA : 804F3418
14:45:41:062 2400 IRP_MJ_SET_QUOTA : 804F3418
14:45:41:078 2400 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:45:41:078 2400
14:45:41:078 2400 Driver Name: Disk
14:45:41:078 2400 IRP_MJ_CREATE : F7631C30
14:45:41:078 2400 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:45:41:078 2400 IRP_MJ_CLOSE : F7631C30
14:45:41:078 2400 IRP_MJ_READ : F762BD9B
14:45:41:078 2400 IRP_MJ_WRITE : F762BD9B
14:45:41:078 2400 IRP_MJ_QUERY_INFORMATION : 804F3418
14:45:41:078 2400 IRP_MJ_SET_INFORMATION : 804F3418
14:45:41:078 2400 IRP_MJ_QUERY_EA : 804F3418
14:45:41:078 2400 IRP_MJ_SET_EA : 804F3418
14:45:41:078 2400 IRP_MJ_FLUSH_BUFFERS : F762C366
14:45:41:078 2400 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:45:41:078 2400 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:45:41:078 2400 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:45:41:078 2400 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:45:41:078 2400 IRP_MJ_DEVICE_CONTROL : F762C44D
14:45:41:078 2400 IRP_MJ_INTERNAL_DEVICE_CONTROL : F762FFC3
14:45:41:078 2400 IRP_MJ_SHUTDOWN : F762C366
14:45:41:078 2400 IRP_MJ_LOCK_CONTROL : 804F3418
14:45:41:078 2400 IRP_MJ_CLEANUP : 804F3418
14:45:41:078 2400 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:45:41:078 2400 IRP_MJ_QUERY_SECURITY : 804F3418
14:45:41:078 2400 IRP_MJ_SET_SECURITY : 804F3418
14:45:41:078 2400 IRP_MJ_POWER : F762DEF3
14:45:41:078 2400 IRP_MJ_SYSTEM_CONTROL : F7632A24
14:45:41:078 2400 IRP_MJ_DEVICE_CHANGE : 804F3418
14:45:41:078 2400 IRP_MJ_QUERY_QUOTA : 804F3418
14:45:41:078 2400 IRP_MJ_SET_QUOTA : 804F3418
14:45:41:078 2400 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:45:41:078 2400
14:45:41:078 2400 Driver Name: atapi
14:45:41:078 2400 IRP_MJ_CREATE : 870B6AC8
14:45:41:078 2400 IRP_MJ_CREATE_NAMED_PIPE : 870B6AC8
14:45:41:078 2400 IRP_MJ_CLOSE : 870B6AC8
14:45:41:078 2400 IRP_MJ_READ : 870B6AC8
14:45:41:078 2400 IRP_MJ_WRITE : 870B6AC8
14:45:41:078 2400 IRP_MJ_QUERY_INFORMATION : 870B6AC8
14:45:41:078 2400 IRP_MJ_SET_INFORMATION : 870B6AC8
14:45:41:078 2400 IRP_MJ_QUERY_EA : 870B6AC8
14:45:41:078 2400 IRP_MJ_SET_EA : 870B6AC8
14:45:41:078 2400 IRP_MJ_FLUSH_BUFFERS : 870B6AC8
14:45:41:078 2400 IRP_MJ_QUERY_VOLUME_INFORMATION : 870B6AC8
14:45:41:078 2400 IRP_MJ_SET_VOLUME_INFORMATION : 870B6AC8
14:45:41:078 2400 IRP_MJ_DIRECTORY_CONTROL : 870B6AC8
14:45:41:078 2400 IRP_MJ_FILE_SYSTEM_CONTROL : 870B6AC8
14:45:41:078 2400 IRP_MJ_DEVICE_CONTROL : 870B6AC8
14:45:41:078 2400 IRP_MJ_INTERNAL_DEVICE_CONTROL : 870B6AC8
14:45:41:078 2400 IRP_MJ_SHUTDOWN : 870B6AC8
14:45:41:078 2400 IRP_MJ_LOCK_CONTROL : 870B6AC8
14:45:41:078 2400 IRP_MJ_CLEANUP : 870B6AC8
14:45:41:078 2400 IRP_MJ_CREATE_MAILSLOT : 870B6AC8
14:45:41:078 2400 IRP_MJ_QUERY_SECURITY : 870B6AC8
14:45:41:078 2400 IRP_MJ_SET_SECURITY : 870B6AC8
14:45:41:078 2400 IRP_MJ_POWER : 870B6AC8
14:45:41:078 2400 IRP_MJ_SYSTEM_CONTROL : 870B6AC8
14:45:41:078 2400 IRP_MJ_DEVICE_CHANGE : 870B6AC8
14:45:41:078 2400 IRP_MJ_QUERY_QUOTA : 870B6AC8
14:45:41:078 2400 IRP_MJ_SET_QUOTA : 870B6AC8
14:45:41:078 2400 Driver "atapi" infected by TDSS rootkit!
14:45:41:125 2400 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
14:45:41:125 2400 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 14:45:41:125 2400 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
14:45:41:125 2400 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
14:45:41:390 2400 vfvi6
14:45:41:406 2400 !dsvbh1
14:45:43:750 2400 dsvbh2
14:45:43:750 2400 fdfb2
14:45:43:750 2400 Backup copy found, using it..
14:45:43:796 2400 will be cured on next reboot
14:45:43:796 2400 Reboot required for cure complete..
14:45:43:812 2400 Cure on reboot scheduled successfully
14:45:43:812 2400
14:45:43:812 2400 Completed
14:45:43:812 2400
14:45:43:812 2400 Results:
14:45:43:812 2400 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
14:45:43:812 2400 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:45:43:812 2400 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:45:43:812 2400
14:45:43:812 2400 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:45:43:812 2400 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:45:43:812 2400 UnloadDriverW: NtUnloadDriver error 1
14:45:43:812 2400 KLMD(ARK) unloaded successfully





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users