Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eset NOD 32 keeps blocking win32/Kryptik.DNW trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 hobomike595

hobomike595

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 08 April 2010 - 12:56 AM

This morning i was randomly redirected to a "scan your computer free spy ware protection blah blah" site. Upon closing it ESET NOD 32 began continuously blocking "Win32/Kryptik.DNW trojan" and the file it is blocking is "http://lenina66.com/102". I only have one virus protetion installed (Eset). It blocked a different infection not too long ago as well. I think multiple infections are effecting my computer and I cannot seem to find or get rid of them. I have tried running ESET (finds nothing), Spybot Search and Destroy, Malwarebytes Anti-Malware, Super Anti-Spyware, Ccleaner and ATF cleaner...still nothing. It doesn't allow me to use Google Chrome but firefox works decently and is also effecting other programs it seems. I have looked high and low for a solution, maybe a personal assist and some expertise?

Thanks Alot =]

Edited by Budapest, 08 April 2010 - 06:22 PM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 08 April 2010 - 04:34 PM

UPDATE: ESET was still blocking that trojan this morning and since then my computer has decided to get itself stuck in a continuous restart loop. I can boot into safe mode but even if i boot windows normally with last good known configuration settings it still just keeps restarting. This has happened before which led me to reformatting previously. I would like to not have to do that if there is a solution to this issue. Please help!

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:21 AM

Posted 08 April 2010 - 06:19 PM

Hi hobomike595,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the problem is not resolved yet please update me on the current condition of your computer. If you can't boot normally tell me if you can boot into Safe Mode with Networking and you have internet connection there.

#4 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 08 April 2010 - 06:59 PM

Hello farbar thank you for assisting me,

I do agree, I will refrain from changing/scanning anything further. The computer has recently only been able to boot into safe mode (didnt try safe mode with networking). I literally just turned my computer back on after a while and it booted into normal windows surprisingly, though not sure if restarting will mess it up again. Google Chrome (Primary browser) still doesn't work whatsoever but firefox and IE work fine and i have internet for everything else it seems

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:21 AM

Posted 08 April 2010 - 07:24 PM

Thanks for the feedback. Please don't reboot for a while unless we have some logs.
  1. Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized


  2. Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    cd\
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • In Windows XP: Locate and double-click look.bat on the desktop. In Vista: Right-click look.bat and select "Run as Administrator".
    • A notepad opens, copy and paste the content (mbr.log) to your reply.



#6 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 08 April 2010 - 08:18 PM

OTL logfile created on: 4/8/2010 6:04:43 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Tyler\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 46.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 18.47 Gb Free Space | 24.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 488.61 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TYLER-TFW60W542
Current User Name: Tyler
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/08 18:03:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tyler\Desktop\OTL.exe
PRC - [2010/04/07 22:18:25 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/17 20:51:10 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Tyler\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010/01/30 19:04:04 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2009/11/13 04:31:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/09/11 07:24:32 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/09/11 07:23:46 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/07/24 15:05:24 | 000,762,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX1000.exe
PRC - [2009/07/24 15:05:24 | 000,139,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2009/07/20 12:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/20 12:28:26 | 000,059,920 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\LBTWiz.exe
PRC - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
PRC - [2009/07/10 12:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2007/05/11 03:59:23 | 000,349,808 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
PRC - [2006/11/29 22:37:20 | 000,561,213 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/11/29 22:35:42 | 001,396,820 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2005/10/05 12:00:44 | 000,053,248 | ---- | M] () -- C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
PRC - [2005/10/05 12:00:06 | 000,065,536 | ---- | M] () -- C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
PRC - [2005/03/22 17:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 18:03:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tyler\Desktop\OTL.exe
MOD - [2009/07/20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2006/11/29 22:41:44 | 000,077,824 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/30 19:04:04 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/13 04:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/09/11 07:33:18 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/09/11 07:24:32 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/07/24 15:05:24 | 000,139,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2007/06/05 14:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2005/10/05 12:00:06 | 000,065,536 | ---- | M] () [Auto | Running] -- C:\Program Files\Logitech\Easy Synchronization\servicestub.exe -- (Logitech Easy Synchronization)


========== Driver Services (SafeList) ==========

DRV - [2009/12/29 16:37:11 | 000,180,224 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\WinVd32.sys -- (WinVd32)
DRV - [2009/09/11 07:26:24 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009/09/11 07:26:20 | 000,135,048 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009/09/11 07:23:50 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/09/11 07:17:16 | 000,116,008 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/07/24 15:05:24 | 001,961,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2009/06/19 09:10:40 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009/06/17 09:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 09:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 09:55:34 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/12/04 14:33:34 | 000,067,672 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/12/04 14:33:34 | 000,047,907 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2006/12/04 14:33:34 | 000,030,459 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/12/04 14:33:32 | 000,863,402 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/12/04 14:33:32 | 000,329,901 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/09/16 17:23:06 | 000,047,360 | ---- | M] (DigitalPersonaŽ, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbdpfp.sys -- (usbdpfp)
DRV - [2006/02/09 20:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/11/16 15:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/10/05 12:00:06 | 000,047,104 | ---- | M] (ELTIMA Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vserial.sys -- (vserial)
DRV - [2005/10/05 12:00:06 | 000,018,167 | ---- | M] (ELTIMA Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vsb.sys -- (vsbus)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-602162358-448539723-839522115-1003\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll (Spigot, Inc.)
IE - HKU\S-1-5-21-602162358-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-602162358-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=867034"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/07 22:18:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 22:18:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/10/14 02:30:08 | 000,000,000 | ---D | M]

[2009/10/31 18:59:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tyler\Application Data\Mozilla\Extensions
[2009/10/31 18:59:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tyler\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/04/07 21:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tyler\Application Data\Mozilla\Firefox\Profiles\aqdep9qo.default\extensions
[2009/10/14 21:33:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tyler\Application Data\Mozilla\Firefox\Profiles\aqdep9qo.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/03 18:56:28 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Tyler\Application Data\Mozilla\Firefox\Profiles\aqdep9qo.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/04/07 21:43:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/26 20:33:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com

O1 HOSTS File: ([2001/08/23 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SearchSettings Class) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-602162358-448539723-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Bluetooth Connection Assistant] File not found
O4 - HKLM..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe ()
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [LogonStudio] C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe (Stardock and Luca Saggese)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-448539723-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1255512929811 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1255512974279 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.9.127.107 68.116.46.115 24.205.192.61
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (C:\WINDOWS\system32\logonuiX.exe) - C:\WINDOWS\system32\logonuiX.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Tyler\My Documents\My Pictures\Rave\kamk54.png
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tyler\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\taskmgr.exe: Debugger - "C:\DOCUMENTS AND SETTINGS\TYLER\MY DOCUMENTS\PROCEXP.EXE" (Sysinternals)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {FE24CD78-7C63-465D-8787-4EDF7FC79895} - C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/14 02:19:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 05:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{6c717be2-f1ba-11de-8315-001372c36087}\Shell\AutoRun\command - "" = G:\.\EncryptionTool\MaxtorEncryption.exe -- File not found
O33 - MountPoints2\{be2232d7-c5bf-11de-8301-001372c36087}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{e217af64-f2b0-11de-8316-001372c36087}\Shell\AutoRun\command - "" = Portable_FL.exe
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Seagate\Installer\InstallSeagateManager.exe -- File not found
O33 - MountPoints2\G\Shell\Install\command - "" = G:\Seagate\Installer\InstallSeagateManager.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: krnlddin - (C:\WINDOWS\system32\ciphmapi.dll) - C:\WINDOWS\System32\ciphmapi.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/08 18:03:03 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tyler\Desktop\OTL.exe
[2010/04/08 17:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/08 17:14:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/08 14:17:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Tyler\Application Data\.#
[2010/04/08 14:17:26 | 000,000,000 | ---D | C] -- C:\Program Files\Search Settings
[2010/04/08 14:17:25 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/08 14:00:31 | 000,000,000 | ---D | C] -- C:\RECYCLER(2)
[2010/04/08 13:49:31 | 000,000,000 | ---D | C] -- C:\MGtools
[2010/04/08 13:33:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Desktop\RootRepeal
[2010/04/08 13:12:56 | 000,000,000 | ---D | C] -- C:\cmdcons
[2010/04/08 13:09:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/08 13:08:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/08 06:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/04/08 06:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/07 22:26:33 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Tyler\Desktop\ATF-Cleaner.exe
[2010/04/07 17:49:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Application Data\SUPERAntiSpyware.com
[2010/04/07 17:49:35 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/07 17:49:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/07 17:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Application Data\Malwarebytes
[2010/04/07 17:48:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/07 17:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/07 17:48:46 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/07 17:48:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/07 17:37:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tyler\Recent
[2010/04/07 16:36:50 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/07 16:35:13 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/07 16:33:43 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/04/07 16:30:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
[2010/04/07 00:57:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/04/06 21:52:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/06 21:52:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/06 21:41:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 16:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/06 16:44:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 12:06:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Desktop\New Folder
[2010/04/05 02:08:46 | 000,000,000 | ---D | C] -- C:\Program Files\iPod(2)
[2010/04/05 02:08:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/05 02:07:16 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime(2)
[2010/04/05 02:06:59 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update(2)
[2010/04/02 17:57:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\My Documents\REAPER Media
[2010/03/30 22:30:49 | 000,000,000 | ---D | C] -- C:\Program Files\ASIO4ALL v2
[2010/03/30 22:13:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Application Data\REAPER
[2010/03/30 22:12:24 | 000,000,000 | ---D | C] -- C:\Program Files\REAPER
[2010/03/30 21:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\My Documents\Recordpad
[2010/03/30 21:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Application Data\Recordpad
[2010/03/30 21:46:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/03/30 21:46:18 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Software
[2010/03/30 21:46:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Application Data\NCH Swift Sound
[2010/03/20 01:27:01 | 000,065,536 | ---- | C] (PV) -- C:\WINDOWS\System32\cpvslider.ocx
[2010/03/20 01:27:01 | 000,045,056 | ---- | C] (adionSoft) -- C:\WINDOWS\System32\BPM_Control.ocx
[2010/03/20 00:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2010/03/17 21:53:42 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/03/12 20:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\Pidgin
[2010/03/12 20:27:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tyler\Application Data\Trillian
[2010/03/12 20:26:57 | 000,000,000 | ---D | C] -- C:\Program Files\Trillian
[2010/03/10 15:58:59 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2009/12/13 00:14:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\CyberLink
[2009/11/27 00:55:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2009/10/15 15:32:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/10/15 12:39:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/14 17:09:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Logitech
[2009/10/14 02:19:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/08 18:03:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tyler\Desktop\OTL.exe
[2010/04/08 17:56:01 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-448539723-839522115-1003UA.job
[2010/04/08 17:14:54 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/08 16:38:44 | 000,000,024 | ---- | M] () -- C:\WINDOWS\LogonStudio.ini
[2010/04/08 16:38:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/08 16:38:07 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/04/08 16:37:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/08 16:37:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/08 15:05:00 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Tyler\ntuser.ini
[2010/04/08 15:04:59 | 004,501,504 | ---- | M] () -- C:\Documents and Settings\Tyler\ntuser.dat
[2010/04/08 14:08:28 | 000,141,094 | ---- | M] () -- C:\MGlogs.zip
[2010/04/08 13:24:36 | 000,000,253 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/08 13:14:33 | 000,001,620 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\olV3RohQ
[2010/04/08 06:29:01 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/07 22:26:35 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Tyler\Desktop\ATF-Cleaner.exe
[2010/04/07 17:51:08 | 000,000,635 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/07 17:51:08 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/07 17:48:55 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 17:48:44 | 007,899,168 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\SUPERAntiSpywarePro.exe
[2010/04/06 20:56:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-448539723-839522115-1003Core.job
[2010/04/06 19:08:47 | 015,698,048 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Groove Armada - Superstylin'.mp3
[2010/04/06 18:45:07 | 013,838,533 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Fatboy Slim- Star 69 (What The bleep) [HD-AO].mp3
[2010/04/06 18:45:02 | 013,336,704 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\The Beatles - A day in the life.mp3
[2010/04/06 12:25:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/05 15:58:15 | 259,387,348 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\untitled.wav
[2010/04/05 12:17:18 | 017,561,834 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Timmy and Tommy - Full Tiltin (Joint Operations Centre remix.mp3
[2010/04/05 12:08:56 | 019,613,824 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Steve Angello Ft Robin S - Show Me love (Afrojack Remix).mp3
[2010/04/04 18:24:09 | 170,234,836 | ---- | M] () -- C:\Documents and Settings\Tyler\Bring the Noise - Killer Remix.wav
[2010/04/04 18:22:04 | 260,590,426 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Desktop.wav
[2010/04/03 19:12:05 | 085,117,786 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Bring the Noise - Killer Remix.wav
[2010/04/02 19:14:06 | 000,006,289 | -HS- | M] () -- C:\Documents and Settings\Tyler\Desktop\Folder.jpg
[2010/04/02 19:14:06 | 000,001,885 | -HS- | M] () -- C:\Documents and Settings\Tyler\Desktop\AlbumArtSmall.jpg
[2010/04/02 17:50:21 | 000,023,396 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Disk Tracks.xlsx
[2010/03/31 22:05:01 | 015,470,720 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Funkagenda What the bleep (Kim Fai Remix) - Tuning_2008.mp3
[2010/03/30 22:12:44 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\REAPER.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/27 15:33:04 | 056,073,296 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Vanishing Point- Bumpercar.wav
[2010/03/26 18:22:44 | 000,065,024 | ---- | M] () -- C:\Documents and Settings\Tyler\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/26 01:40:00 | 151,416,952 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\good car thing too.wav
[2010/03/24 19:30:57 | 021,446,784 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\New Years Day (Ferry Corsten Remix).mp3
[2010/03/24 19:29:30 | 020,760,704 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\New Years Day (Mauro Picotto Mix).mp3
[2010/03/24 19:17:14 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/03/20 00:14:21 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Audacity.lnk
[2010/03/17 21:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/03/17 18:29:29 | 000,123,418 | ---- | M] () -- C:\Documents and Settings\Tyler\Desktop\Candy Flip.flp
[2010/03/17 15:05:58 | 000,464,940 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/17 15:05:58 | 000,079,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 20:14:47 | 008,468,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\logonuiX.exe
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/08 13:49:40 | 000,141,094 | ---- | C] () -- C:\MGlogs.zip
[2010/04/08 13:14:16 | 000,001,620 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\olV3RohQ
[2010/04/08 13:14:16 | 000,001,620 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\olV3RohQ
[2010/04/08 13:13:04 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/08 13:12:58 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/08 06:29:01 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/07 17:49:30 | 004,501,504 | ---- | C] () -- C:\Documents and Settings\Tyler\ntuser.dat
[2010/04/07 17:48:55 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 17:48:14 | 007,899,168 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\SUPERAntiSpywarePro.exe
[2010/04/06 19:08:10 | 015,698,048 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Groove Armada - Superstylin'.mp3
[2010/04/05 15:58:02 | 259,387,348 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\untitled.wav
[2010/04/04 18:23:55 | 170,234,836 | ---- | C] () -- C:\Documents and Settings\Tyler\Bring the Noise - Killer Remix.wav
[2010/04/04 18:21:50 | 260,590,426 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Desktop.wav
[2010/04/03 19:12:01 | 085,117,786 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Bring the Noise - Killer Remix.wav
[2010/04/01 15:18:47 | 013,336,704 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\The Beatles - A day in the life.mp3
[2010/03/31 22:04:13 | 015,470,720 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Funkagenda What the bleep (Kim Fai Remix) - Tuning_2008.mp3
[2010/03/31 21:58:37 | 013,838,533 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Fatboy Slim- Star 69 (What The bleep) [HD-AO].mp3
[2010/03/31 21:53:38 | 017,561,834 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Timmy and Tommy - Full Tiltin (Joint Operations Centre remix.mp3
[2010/03/30 22:12:44 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\REAPER.lnk
[2010/03/29 23:56:30 | 000,195,760 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/28 19:09:24 | 019,613,824 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Steve Angello Ft Robin S - Show Me love (Afrojack Remix).mp3
[2010/03/27 15:33:00 | 056,073,296 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Vanishing Point- Bumpercar.wav
[2010/03/26 01:39:48 | 151,416,952 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\good car thing too.wav
[2010/03/24 18:12:33 | 021,446,784 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\New Years Day (Ferry Corsten Remix).mp3
[2010/03/24 18:04:50 | 020,760,704 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\New Years Day (Mauro Picotto Mix).mp3
[2010/03/20 00:14:21 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Audacity.lnk
[2010/03/14 17:13:43 | 000,123,418 | ---- | C] () -- C:\Documents and Settings\Tyler\Desktop\Candy Flip.flp
[2010/02/14 17:39:15 | 000,000,098 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/30 19:21:18 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/12/29 16:37:11 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\WinVd32.sys
[2009/11/27 00:54:57 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/11/27 00:47:56 | 000,000,071 | ---- | C] () -- C:\Documents and Settings\Tyler\default.pls
[2009/11/27 00:47:49 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/19 18:36:22 | 000,000,285 | ---- | C] () -- C:\Documents and Settings\Tyler\Local Settings\Application Data\itdb.zip
[2009/10/15 13:22:57 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/10/14 21:45:40 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2009/10/14 21:45:40 | 000,007,196 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AAC.ini
[2009/10/14 21:45:40 | 000,006,490 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PSP.ini
[2009/10/14 21:45:40 | 000,005,028 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP2_AAC.ini
[2009/10/14 21:45:40 | 000,003,045 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPod.ini
[2009/10/14 21:45:40 | 000,002,956 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PMP.ini
[2009/10/14 21:45:40 | 000,002,910 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AMR.ini
[2009/10/14 21:45:40 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PPC.ini
[2009/10/14 21:45:40 | 000,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QVGA_AAC.ini
[2009/10/14 21:45:40 | 000,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QCIF_AAC.ini
[2009/10/14 21:45:40 | 000,001,878 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Xbox.ini
[2009/10/14 21:45:40 | 000,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AMR.ini
[2009/10/14 21:45:40 | 000,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AAC.ini
[2009/10/14 21:45:40 | 000,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AMR.ini
[2009/10/14 21:45:40 | 000,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AAC.ini
[2009/10/14 21:45:40 | 000,000,036 | ---- | C] () -- C:\WINDOWS\System32\INI_Add_mfra.ini
[2009/10/14 21:43:21 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/10/14 19:11:50 | 000,000,024 | ---- | C] () -- C:\WINDOWS\LogonStudio.ini
[2009/10/14 19:10:41 | 000,187,392 | ---- | C] () -- C:\WINDOWS\System32\JPGUtils.dll
[2009/10/14 16:41:12 | 000,000,990 | -HS- | C] () -- C:\Documents and Settings\Tyler\Application Data\systemfl.$dk
[2009/10/14 16:18:08 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2009/10/14 15:57:59 | 000,065,024 | ---- | C] () -- C:\Documents and Settings\Tyler\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/14 02:23:08 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Tyler\ntuser.ini
[2009/10/14 02:23:07 | 000,036,864 | -H-- | C] () -- C:\Documents and Settings\Tyler\ntuser.dat.LOG
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/12/11 13:27:24 | 000,817,837 | ---- | C] () -- C:\Documents and Settings\Tyler\Application Data\com.kennettnet.MusicRescue4.Profiles.plist
[2008/12/11 12:53:20 | 001,357,989 | ---- | C] () -- C:\Documents and Settings\Tyler\Application Data\com.kennettnet.MusicRescue4.plist
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/11/29 22:24:10 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 11:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2004/06/24 01:20:02 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2002/09/10 08:10:05 | 000,495,616 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
< End of report >


i attatched the first 2, here is the third:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C2FAC8]<<
kernel: MBR read successfully
user & kernel MBR OK

Attached Files


Edited by farbar, 08 April 2010 - 08:35 PM.
Opened the log


#7 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 08 April 2010 - 08:42 PM

thats not how that was supposed to turn out. let me try again

"i attatched the first 2, here is the third:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C2FAC8]<<
kernel: MBR read successfully
user & kernel MBR OK "

they are attatched to the messed up post


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:21 AM

Posted 08 April 2010 - 08:50 PM

Seems you have already run many tools inclusive ComboFix.
  1. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  2. Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c sc query type= driver group= "SCSI Miniport" > log.txt&start log.txt

    A text file (log.txt) will be open. Please post its content to your reply before running ComboFix then proceed.

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#9 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 08 April 2010 - 09:25 PM

Alrighty,

Defogger:

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0


ComboFix 10-04-08.01 - Tyler 04/08/2010 19:07:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.674 [GMT -7:00]
Running from: c:\documents and settings\Tyler\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\Tyler\Application Data\.#
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SeARchsettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-08 13:29 . 2010-04-08 13:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-08 00:49 . 2010-04-08 21:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-08 00:49 . 2010-04-08 00:49 -------- d-----w- c:\documents and settings\Tyler\Application Data\SUPERAntiSpyware.com
2010-04-08 00:49 . 2010-04-08 00:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-08 00:49 . 2010-04-08 00:49 -------- d-----w- c:\documents and settings\Tyler\Application Data\Malwarebytes
2010-04-08 00:48 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 00:48 . 2010-04-08 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-08 00:48 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 00:48 . 2010-04-08 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 23:36 . 2010-04-07 23:36 -------- d-----w- c:\program files\iPod
2010-04-07 23:35 . 2010-04-07 23:35 -------- d-----w- c:\program files\QuickTime
2010-04-07 23:33 . 2010-04-07 23:33 -------- d-----w- c:\program files\Apple Software Update
2010-04-07 23:28 . 2010-04-07 23:28 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-04-07 23:27 . 2010-04-07 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-07 23:27 . 2010-04-07 23:29 -------- d-s---w- c:\documents and settings\Administrator
2010-04-07 20:05 . 2010-04-09 00:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 04:52 . 2010-04-07 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-07 02:50 . 2010-04-07 23:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-04-07 01:30 . 2010-04-07 01:30 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-05 09:08 . 2010-04-07 23:33 -------- d-----w- c:\program files\iPod(2)
2010-04-05 09:08 . 2010-04-05 09:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 09:07 . 2010-04-07 23:33 -------- d-----w- c:\program files\QuickTime(2)
2010-04-05 09:06 . 2010-04-07 23:33 -------- d-----w- c:\program files\Apple Software Update(2)
2010-03-31 05:30 . 2010-03-31 05:30 -------- d-----w- c:\program files\ASIO4ALL v2
2010-03-31 05:13 . 2010-04-03 05:33 -------- d-----w- c:\documents and settings\Tyler\Application Data\REAPER
2010-03-31 05:12 . 2010-03-31 05:12 -------- d-----w- c:\program files\REAPER
2010-03-31 04:46 . 2010-03-31 04:46 -------- d-----w- c:\documents and settings\Tyler\Application Data\Recordpad
2010-03-31 04:46 . 2010-03-31 04:46 -------- d-----w- c:\program files\NCH Software
2010-03-31 04:46 . 2010-03-31 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-03-31 04:46 . 2010-03-31 04:46 -------- d-----w- c:\documents and settings\Tyler\Application Data\NCH Swift Sound
2010-03-30 06:56 . 2010-04-05 00:20 195760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-20 07:14 . 2010-03-20 07:14 -------- d-----w- c:\program files\Audacity
2010-03-13 03:38 . 2010-03-13 03:38 -------- d-----w- c:\program files\Pidgin
2010-03-13 03:27 . 2010-03-13 03:32 -------- d-----w- c:\documents and settings\Tyler\Application Data\Trillian
2010-03-13 03:26 . 2010-03-13 03:34 -------- d-----w- c:\program files\Trillian
2010-03-10 22:58 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 01:13 . 2010-04-09 01:12 77312 ----a-w- C:\mbr.exe
2010-04-09 00:14 . 2009-10-14 23:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-08 21:08 . 2010-04-08 20:49 141094 ----a-w- C:\MGlogs.zip
2010-04-08 04:39 . 2009-10-14 09:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-08 04:23 . 2009-10-15 01:45 -------- d-----w- c:\program files\DVDVideoSoft
2010-04-08 04:23 . 2009-10-15 01:46 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-04-08 00:36 . 2009-10-15 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 00:34 . 2009-10-15 00:55 -------- d-----w- c:\program files\CCleaner
2010-04-07 23:42 . 2009-10-15 00:24 -------- d-----w- c:\program files\Bonjour
2010-04-07 23:37 . 2009-10-15 00:24 -------- d-----w- c:\program files\iTunes
2010-04-07 23:33 . 2009-10-15 00:22 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 23:30 . 2009-10-21 17:44 -------- d-----w- c:\program files\Heroes of Newerth
2010-04-06 23:40 . 2009-10-15 20:36 -------- d-----w- c:\documents and settings\Tyler\Application Data\.purple
2010-04-05 22:28 . 2009-10-28 04:41 -------- d-----w- c:\documents and settings\Tyler\Application Data\TuneUpMedia
2010-04-05 09:07 . 2009-10-15 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-25 01:31 . 2009-10-14 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-17 22:05 . 2010-03-17 22:05 5460 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-03-15 03:14 . 2001-08-23 12:00 8468992 ----a-w- c:\windows\system32\logonuiX.exe
2010-03-13 03:24 . 2009-10-14 23:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-07 23:33 . 2009-11-19 08:28 -------- d-----w- c:\program files\coolpro2
2010-02-25 06:24 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-21 01:44 . 2010-02-21 01:44 -------- d-----w- c:\program files\Tunatic
2010-02-08 05:00 . 2009-10-27 00:45 57412 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-08 02:45 . 2009-11-08 03:44 -------- d-----w- c:\documents and settings\Tyler\Application Data\U3
2010-02-07 00:49 . 2010-02-07 00:50 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 01:20 . 2009-10-14 10:09 71264 ----a-w- c:\documents and settings\Tyler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Tyler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-14 813584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Tyler\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 05:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 19:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 22:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPAgnt]
c:\program files\DigitalPersona\Bin\DPAgnt.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
2006-02-13 11:00 131072 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIBIA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2006-11-23 04:10 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-14 19:36 133104 ----atw- c:\documents and settings\Tyler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2009-07-24 22:05 118640 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 16:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
c:\program files\Search Settings\SearchSettings.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-07-21 18:00 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-14 23:34 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
2009-07-24 22:05 762208 ----a-w- c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
krnlddin REG_SZ c:\windows\system32\ciphmapi.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/11/2009 7:24 AM 735960]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/14/2009 5:08 PM 10384]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 4:31 AM 92008]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [10/15/2009 12:20 AM 47360]
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-448539723-839522115-1003Core.job
- c:\documents and settings\Tyler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-14 19:36]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-448539723-839522115-1003UA.job
- c:\documents and settings\Tyler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-14 19:36]

2010-04-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\aqdep9qo.default\
FF - plugin: c:\documents and settings\Tyler\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 19:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C2FAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1408)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-08 19:19:43
ComboFix-quarantined-files.txt 2010-04-09 02:19
ComboFix2.txt 2010-04-08 20:28

Pre-Run: 19,780,616,192 bytes free
Post-Run: 19,775,782,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 0789A05E8C142930784CA8C8F91742CF

Attached Files


Edited by farbar, 09 April 2010 - 02:46 AM.
Opened the log.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:21 AM

Posted 09 April 2010 - 02:57 AM

Well done. thumbup2.gif
  1. We are going to run this special tool.
    • Please download TDSSKiller.zip and save it to your desktop.
    • Extract the zip file to your desktop.
    • Make sure TDSSKiller.exe is not in a folder.
      The exe file should be placed on the desktop, it looks like
    • Go to Start => Run copy and paste the following command in the Run box and click enter:

      "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v

    • When it finished press any key to continue and let reboot if needed.
    • Please attach the report.txt created on your desktop.

  2. Reboot the computer now once even if TDSSKiller needed a reboot.

  3. Please run look.bat from post 5 and post the log it makes.


#11 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 09 April 2010 - 03:33 AM

Upon restarting the first time the computer froze while shutting down and showed just the desktop background and the mouse pointer (which wasn't frozen), it did this yesterday when i first became aware of the trojan. It shut down fine the second time and booted up fine no restart loop =]


------------------------------------

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B70AC8]<<
kernel: MBR read successfully
user & kernel MBR OK

Attached Files



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:21 AM

Posted 09 April 2010 - 03:50 AM

Did you have to use the reset button to reboot when the computer froze?

The TDSSKiller log shows it has cured the infected system file but the mbr.log doesn't confirm it.
  1. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      atapi.sy*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  2. Please repeat all the steps in the previous post to see if TDSSKiller again flags the system file.

I'll be away from the computer for about one hour.

#13 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 09 April 2010 - 04:26 AM

Yes I did have to use the reset button when it froze up. Also, I have been using the the look.bat file which was already created in post 5, was I supposed to create a new one for this part of the process?

It's late here, i'll be back in the morning =P

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:21 AM

Posted 09 April 2010 - 04:52 AM

Good morning. smile.gif

TDSSKiller flagged the file again.

QUOTE
was I supposed to create a new one for this part of the process?

No, the old one will do, but you forget to post the log. Please reboot if you have not rebooted after running TDSSKiller and run the look.bat again and post the log.



#15 hobomike595

hobomike595
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 09 April 2010 - 02:08 PM

Whoops! Not sure why I attached "report 2" instead blink.gif Here ya go

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B38AC8]<<
kernel: MBR read successfully
user & kernel MBR OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users