Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop may be infected with Recycler virus


  • This topic is locked This topic is locked
26 replies to this topic

#1 sherriec09

sherriec09

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 11 April 2010 - 04:03 AM

Hi again Sempai!
I turned off ESET before I did all of this.

Here are the txt files for the laptop:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Sherrie at 22:56:28.46 on Sat 04/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1577 [GMT -7:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sherrie\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - hxxp://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli scecli scecli
Hosts: 192.168.12.190 zoom-gac-2
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sherrie\applic~1\mozilla\firefox\profiles\0iu94k3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com
FF - component: c:\documents and settings\sherrie\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\sherrie\local settings\application data\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 35168]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-3-21 1201640]
R3 st3tgbus;st3tgbus;c:\windows\system32\drivers\st3tgbus.sys [2003-3-12 8640]
R3 st3tiger;st3tiger;c:\windows\system32\drivers\st3tiger.sys [2003-3-12 99168]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2006-7-18 99840]
S3 TwUSBD;TwUSBD;c:\windows\system32\drivers\TwUSBD.sys [2003-9-29 16000]
S4 DSClSvc;DocSTAR Client Service;c:\docstar\dsclsv.exe --> c:\docstar\dsclsv.exe [?]
S4 DSHost;DocSTAR Host Service;c:\docstar\dshostsv.exe --> c:\docstar\dshostsv.exe [?]

=============== Created Last 30 ================

2010-04-11 05:46:49 20 ----a-w- c:\documents and settings\sherrie\defogger_reenable
2010-04-11 05:08:57 0 d-----w- c:\program files\Sun
2010-04-11 05:08:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-11 05:08:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-09 06:57:34 0 d-----w- C:\Temp
2010-04-09 06:53:16 0 d-----w- c:\program files\Cheetah Burner
2010-04-07 23:25:03 0 d-----w- c:\docume~1\sherrie\applic~1\Silverback Productions
2010-04-07 23:23:17 0 d-----w- c:\program files\Empress of the Deep
2010-04-06 04:26:09 10 ----a-w- c:\windows\system32\deposit.dll
2010-04-05 07:14:40 0 d-----w- c:\docume~1\sherrie\applic~1\Playrix Entertainment
2010-04-05 07:13:30 0 d-----w- c:\program files\Fishdom
2010-04-05 04:40:12 0 d-----w- c:\docume~1\sherrie\applic~1\Absolutist
2010-04-05 04:40:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Absolutist
2010-04-05 04:37:40 0 d-----w- c:\program files\Green Moon
2010-04-04 05:37:36 0 d-sha-r- C:\autorun.inf
2010-04-04 04:46:33 0 d-----w- c:\program files\LSoft Technologies
2010-04-03 05:27:55 0 d-----w- c:\docume~1\sherrie\applic~1\Big Fish Games
2010-04-03 05:25:37 0 d-----w- c:\program files\Mystery Case Files - Dire Grove Collector's Edition
2010-04-02 05:53:13 0 d-----w- c:\docume~1\sherrie\applic~1\Virtual Prophecy
2010-04-02 05:53:12 4096 ----a-w- c:\windows\d3dx.dat
2010-04-02 05:50:32 0 d-----w- c:\program files\Mishap An Accidental Haunting
2010-04-02 04:28:57 0 d-----w- c:\docume~1\alluse~1\applic~1\EdensQuest
2010-04-02 04:20:40 0 d-----w- c:\program files\Edens Quest
2010-04-01 07:47:45 0 d-----w- c:\program files\Mah Jong Quest
2010-04-01 05:16:26 0 d-----w- c:\docume~1\sherrie\applic~1\Artifex Mundi
2010-04-01 05:14:56 0 d-----w- c:\program files\Joan Jade and the Gates of Xibalba
2010-03-19 00:12:49 0 d-----w- c:\program files\common files\DivX Shared
2010-03-19 00:00:12 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-03-17 04:20:45 0 d-----w- c:\docume~1\sherrie\applic~1\Freezetag
2010-03-17 04:20:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-03-17 03:28:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Emberwind
2010-03-17 03:28:37 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-03-17 03:28:37 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-03-17 03:28:37 0 d-----w- c:\program files\OpenAL
2010-03-17 03:28:31 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-03-17 03:28:28 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-03-17 03:28:26 0 d-----w- c:\windows\Logs
2010-03-17 00:07:44 0 d-sh--w- c:\documents and settings\sherrie\PrivacIE
2010-03-13 01:01:16 146321 ----a-w- c:\windows\system32\plus!.hlp
2010-03-13 01:01:16 1300 ----a-w- c:\windows\system32\cool.dll
2010-03-13 01:01:14 32768 ----a-w- c:\windows\system32\dapanel.cpl
2010-03-13 01:01:11 0 d-----w- c:\program files\Desktop Architect

==================== Find3M ====================

2010-04-04 04:47:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-01-19 19:29:52 286720 ----a-w- c:\windows\system32\eSTsnmp.dll
2008-03-08 06:39:34 40352 ----a-w- c:\windows\inf\Usbkey.sys
1999-04-23 22:22:22 12 --sha-w- c:\windows\system\WININETICMP32.drv
2009-10-17 21:18:25 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 22:56:49.70 ===============

Attached File  Attach.txt   11.72KB   9 downloads

Attached File  ark.txt.log   22.42KB   26 downloads

Thanks Sempai!


Edited by sempai, 11 April 2010 - 04:13 AM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 11 April 2010 - 04:38 AM

Hi sherriec09,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Webroot AntiVirus or ESET NOD32 Antivirus.


++++++++++++++++++++++++++


There's no sign of Malware on the log, let's try MBAM and kaspersky online scan.

1. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 12 April 2010 - 12:28 AM

I can't get the MBAM to work now. Everytime I try to run it I get a runtime error at 0. I tried reinstalling and received the same error during the install process. I dont' know what happened, it was working fine a few days ago.
I tried the Kapersky scan and it took over 10 hrs just to download less than half the updates. I finally stopped it. My browser seems to freeze on it. I had my ESET disabled and I uninstalled the Webroot AV before I started any of it.
I will try again and let it run all night.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 12 April 2010 - 08:27 AM

Hi,

Please do the following:


1. Please download RKill by Grinler.
Link 1
Link 2
Link 3
Link 4
  • Save it to your desktop.
  • Close/disable your anti virus program so they do not interfere with RKill. (Tutorials on how to disable your anti virus program can be found HERE.)
  • Double click the RKILL icon to start the program. (For Windows VISTA, right click the icon and run as administrator)
  • A window will appear and close automatically once completed. This indicates a successful run.
  • Do not reboot your computer and continue with step 2.
  • Post the rkill log when you reply. (C:\rkill.log)
Note:
  1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
  2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.




2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2
  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 12 April 2010 - 03:43 PM

Kapersky scanned this morning.
MBAM seems to be working now. Let me know if I still need to do a scan with this.

Here you go:

Kapersky:
No log, nothing found, nothing deleted.

Rkil:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Sherrie on 04/12/2010 at 12:38:39.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Sherrie\Desktop\rkill.com


Rkill completed on 04/12/2010 at 12:38:42.


combofix

ComboFix 10-04-12.01 - Sherrie 04/12/2010 13:21:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1631 [GMT -7:00]
Running from: c:\documents and settings\Sherrie\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\eSellerateEngine.dll
c:\windows\system32\_004435_.tmp.dll
c:\windows\system32\_004436_.tmp.dll
c:\windows\system32\_004437_.tmp.dll
c:\windows\system32\_004438_.tmp.dll
c:\windows\system32\_004445_.tmp.dll
c:\windows\system32\_004446_.tmp.dll
c:\windows\system32\_004447_.tmp.dll
c:\windows\system32\_004449_.tmp.dll
c:\windows\system32\_004450_.tmp.dll
c:\windows\system32\_004453_.tmp.dll
c:\windows\system32\_004454_.tmp.dll
c:\windows\system32\_004456_.tmp.dll
c:\windows\system32\_004457_.tmp.dll
c:\windows\system32\_004458_.tmp.dll
c:\windows\system32\_004460_.tmp.dll
c:\windows\system32\_004463_.tmp.dll
c:\windows\system32\_004464_.tmp.dll
c:\windows\system32\_004468_.tmp.dll
c:\windows\system32\_004469_.tmp.dll
c:\windows\system32\_004471_.tmp.dll
c:\windows\system32\_004473_.tmp.dll
c:\windows\system32\_004474_.tmp.dll
c:\windows\system32\_004476_.tmp.dll
c:\windows\system32\_004477_.tmp.dll
c:\windows\system32\_004478_.tmp.dll
c:\windows\system32\_004479_.tmp.dll
c:\windows\system32\_004482_.tmp.dll
c:\windows\system32\_004483_.tmp.dll
c:\windows\system32\_004484_.tmp.dll
c:\windows\system32\_004485_.tmp.dll
c:\windows\system32\_004486_.tmp.dll
c:\windows\system32\_004491_.tmp.dll
c:\windows\system32\_004493_.tmp.dll
c:\windows\system32\_006619_.tmp.dll
c:\windows\system32\_006620_.tmp.dll
c:\windows\system32\_006621_.tmp.dll
c:\windows\system32\_006622_.tmp.dll
c:\windows\system32\_006629_.tmp.dll
c:\windows\system32\_006630_.tmp.dll
c:\windows\system32\_006631_.tmp.dll
c:\windows\system32\_006632_.tmp.dll
c:\windows\system32\_006634_.tmp.dll
c:\windows\system32\_006635_.tmp.dll
c:\windows\system32\_006638_.tmp.dll
c:\windows\system32\_006639_.tmp.dll
c:\windows\system32\_006641_.tmp.dll
c:\windows\system32\_006642_.tmp.dll
c:\windows\system32\_006643_.tmp.dll
c:\windows\system32\_006645_.tmp.dll
c:\windows\system32\_006648_.tmp.dll
c:\windows\system32\_006649_.tmp.dll
c:\windows\system32\_006653_.tmp.dll
c:\windows\system32\_006654_.tmp.dll
c:\windows\system32\_006656_.tmp.dll
c:\windows\system32\_006658_.tmp.dll
c:\windows\system32\_006659_.tmp.dll
c:\windows\system32\_006661_.tmp.dll
c:\windows\system32\_006662_.tmp.dll
c:\windows\system32\_006663_.tmp.dll
c:\windows\system32\_006664_.tmp.dll
c:\windows\system32\_006665_.tmp.dll
c:\windows\system32\_006668_.tmp.dll
c:\windows\system32\_006669_.tmp.dll
c:\windows\system32\_006670_.tmp.dll
c:\windows\system32\_006671_.tmp.dll
c:\windows\system32\_006672_.tmp.dll
c:\windows\system32\_006677_.tmp.dll
c:\windows\system32\_006679_.tmp.dll
c:\windows\system32\deposit.dll
c:\windows\system32\img_utils.dll
c:\windows\system32\imgscaler.dll
c:\windows\system32\videocore.dll
c:\windows\system32\videoformat.dll
c:\windows\system32\w020t32w.dll
c:\windows\system32\w021t32w.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-11 09:24 . 2010-04-11 09:24 503808 ----a-w- c:\documents and settings\Sherrie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e367caf-n\msvcp71.dll
2010-04-11 09:24 . 2010-04-11 09:24 499712 ----a-w- c:\documents and settings\Sherrie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e367caf-n\jmc.dll
2010-04-11 09:24 . 2010-04-11 09:24 348160 ----a-w- c:\documents and settings\Sherrie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e367caf-n\msvcr71.dll
2010-04-11 09:24 . 2010-04-11 09:24 61440 ----a-w- c:\documents and settings\Sherrie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1a370b09-n\decora-sse.dll
2010-04-11 09:24 . 2010-04-11 09:24 12800 ----a-w- c:\documents and settings\Sherrie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1a370b09-n\decora-d3d.dll
2010-04-11 05:08 . 2010-04-11 05:08 -------- d-----w- c:\program files\Sun
2010-04-11 05:08 . 2010-04-11 05:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-11 05:06 . 2010-04-11 05:08 -------- d-----w- c:\program files\Java
2010-04-09 06:57 . 2010-04-09 07:11 -------- d-----w- C:\Temp
2010-04-07 23:25 . 2010-04-07 23:25 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Silverback Productions
2010-04-07 23:23 . 2010-04-07 23:24 -------- d-----w- c:\program files\Empress of the Deep
2010-04-07 05:17 . 2010-04-07 05:17 -------- d-----w- c:\documents and settings\Sherrie\Local Settings\Application Data\Game Mill Files
2010-04-05 07:14 . 2010-04-05 07:14 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Playrix Entertainment
2010-04-05 07:13 . 2010-04-05 07:14 -------- d-----w- c:\program files\Fishdom
2010-04-05 04:40 . 2010-04-05 04:40 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Absolutist
2010-04-05 04:40 . 2010-04-05 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Absolutist
2010-04-05 04:37 . 2010-04-07 22:12 -------- d-----w- c:\program files\Green Moon
2010-04-04 04:46 . 2010-04-04 04:46 -------- d-----w- c:\program files\LSoft Technologies
2010-04-03 05:27 . 2010-04-03 05:27 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Big Fish Games
2010-04-03 05:25 . 2010-04-03 05:25 -------- d-----w- c:\program files\Mystery Case Files - Dire Grove Collector's Edition
2010-04-02 05:53 . 2010-04-02 05:53 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Virtual Prophecy
2010-04-02 05:53 . 2010-04-02 05:53 4096 ----a-w- c:\windows\d3dx.dat
2010-04-02 05:50 . 2010-04-03 05:21 -------- d-----w- c:\program files\Mishap An Accidental Haunting
2010-04-02 04:28 . 2010-04-02 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\EdensQuest
2010-04-02 04:20 . 2010-04-03 05:17 -------- d-----w- c:\program files\Edens Quest
2010-04-01 07:47 . 2010-04-05 03:22 -------- d-----w- c:\program files\Mah Jong Quest
2010-04-01 05:16 . 2010-04-01 05:16 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Artifex Mundi
2010-04-01 05:14 . 2010-04-03 05:20 -------- d-----w- c:\program files\Joan Jade and the Gates of Xibalba
2010-03-25 20:32 . 2010-03-25 20:32 -------- d-----w- c:\documents and settings\Sherrie\Local Settings\Application Data\Yahoo!
2010-03-19 13:27 . 2010-03-19 13:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-19 00:22 . 2010-04-01 00:27 -------- d-----w- c:\documents and settings\Sherrie\Local Settings\Application Data\Temp
2010-03-19 00:14 . 2010-03-19 00:00 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-03-19 00:12 . 2010-03-19 00:12 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-19 00:12 . 2010-03-19 00:12 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-03-19 00:12 . 2010-03-19 00:12 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-19 00:12 . 2010-03-19 00:12 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-19 00:12 . 2010-03-19 00:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-19 00:12 . 2010-03-19 00:12 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-19 00:05 . 2010-03-19 00:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-03-19 00:05 . 2010-03-19 01:22 -------- d-----w- c:\documents and settings\Sherrie\Local Settings\Application Data\Google
2010-03-19 00:05 . 2010-04-03 05:27 -------- d-----w- c:\program files\Google
2010-03-19 00:00 . 2010-03-19 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-03-17 04:20 . 2010-03-17 04:20 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Freezetag
2010-03-17 04:20 . 2010-03-17 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-03-17 03:28 . 2010-03-17 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Emberwind
2010-03-17 03:28 . 2010-03-17 03:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-03-17 03:28 . 2010-03-17 03:28 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-03-17 03:28 . 2010-03-17 03:28 -------- d-----w- c:\program files\OpenAL
2010-03-17 03:28 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-03-17 03:28 . 2007-04-05 01:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-03-17 03:28 . 2010-03-17 03:28 -------- d-----w- c:\windows\Logs
2010-03-17 00:07 . 2010-03-17 00:07 -------- d-sh--w- c:\documents and settings\Sherrie\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 20:31 . 2010-03-03 01:40 -------- d-----w- c:\documents and settings\Sherrie\Application Data\DMCache
2010-04-11 20:50 . 2009-08-11 15:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 05:09 . 2005-11-28 00:08 -------- d-----w- c:\program files\Common Files\Java
2010-04-09 06:53 . 2010-04-09 06:53 -------- d-----w- c:\program files\Cheetah Burner
2010-04-09 06:53 . 2005-11-27 23:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-05 07:12 . 2010-02-28 05:31 -------- d-----w- c:\documents and settings\Sherrie\Application Data\vlc
2010-04-04 04:47 . 2007-07-14 22:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-03 05:22 . 2008-06-27 18:54 -------- d-----w- c:\program files\The Rosetta Stone
2010-03-30 07:46 . 2009-08-11 15:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-08-11 15:29 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 09:44 . 2010-03-01 00:14 -------- d-----w- c:\program files\Virtual Families
2010-03-14 05:16 . 2010-03-07 04:05 -------- d-----w- c:\documents and settings\Sherrie\Application Data\dvdcss
2010-03-14 00:13 . 2010-03-03 01:40 -------- d-----w- c:\documents and settings\Sherrie\Application Data\IDM
2010-03-13 01:01 . 2010-03-13 01:01 -------- d-----w- c:\program files\Desktop Architect
2010-03-11 00:46 . 2010-03-02 07:44 -------- d-----w- c:\program files\Calibre2
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 23:36 . 2010-03-07 23:34 -------- d-----w- c:\documents and settings\Sherrie\Application Data\TitanicMystery
2010-03-07 23:29 . 2010-03-07 23:29 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Dragon Altar Games
2010-03-04 07:45 . 2010-03-04 07:45 -------- d-----w- c:\documents and settings\Sherrie\Application Data\EA
2010-03-04 07:44 . 2010-03-04 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\EA
2010-03-03 01:43 . 2010-03-03 01:40 -------- d-----w- c:\program files\Internet Download Manager
2010-03-03 01:41 . 2010-03-03 01:41 198064 ----a-w- c:\documents and settings\Sherrie\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-03-02 07:45 . 2010-03-02 07:45 -------- d-----w- c:\documents and settings\Sherrie\Application Data\calibre
2010-03-01 04:32 . 2010-03-01 03:24 -------- d-----w- c:\program files\Games
2010-03-01 04:32 . 2010-03-01 04:31 -------- d-----w- c:\program files\Plus!
2010-03-01 03:57 . 2010-03-01 03:57 -------- d-----w- c:\program files\plant tycoon
2010-03-01 03:56 . 2010-03-01 03:56 -------- d-----w- c:\program files\Microsoft Reader
2010-03-01 03:10 . 2010-03-01 03:10 -------- d-----w- c:\program files\eBay
2010-03-01 03:08 . 2010-03-01 03:07 -------- d-----w- c:\program files\Casino Island To Go
2010-03-01 00:14 . 2010-03-01 00:14 -------- d-----w- c:\program files\ReflexiveArcade
2010-02-28 02:57 . 2006-04-02 06:14 -------- d-----w- c:\program files\Eraser
2010-02-28 02:39 . 2010-02-28 02:39 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Malwarebytes
2010-02-27 17:14 . 2010-02-27 17:14 -------- d-----w- c:\documents and settings\Administrator.KINNIKUMOBILE\Application Data\Malwarebytes
2010-02-27 17:08 . 2010-02-27 17:08 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-27 16:35 . 2010-02-27 16:35 99152 ----a-w- c:\documents and settings\Sherrie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 16:35 . 2010-02-27 16:35 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Intel
2010-02-26 04:12 . 2005-11-27 22:34 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-02-26 03:12 . 2010-02-26 03:12 3584 ----a-r- c:\documents and settings\Administrator.KINNIKUMOBILE\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-26 03:12 . 2010-02-26 03:12 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-02-26 03:12 . 2009-02-14 01:31 -------- d-----w- c:\program files\MSECache
2010-02-26 02:06 . 2005-11-27 23:59 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-26 01:08 . 2005-11-28 10:51 -------- d-----w- c:\program files\WS_FTP
2010-02-26 00:56 . 2008-02-09 21:51 -------- d-----w- c:\program files\PDF995
2010-02-26 00:52 . 2007-09-08 21:05 -------- d-----w- c:\program files\Runtime Software
2010-02-26 00:03 . 2006-07-16 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-25 23:56 . 2008-07-12 00:07 256 ----a-w- c:\windows\system32\pool.bin
2010-02-25 06:24 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-15 03:15 . 2007-02-15 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-02-13 20:52 . 2010-02-13 20:52 18205544 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US60016401xupd.exe
2010-02-07 03:24 . 2010-02-07 03:24 3741656 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-02-07 02:03 . 2010-02-07 02:03 16832384 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US57016001xupd.exe
2010-01-28 01:03 . 2010-01-28 01:02 15524808 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30025701xupd.exe
2010-01-19 19:29 . 2006-04-22 19:15 286720 ----a-w- c:\windows\system32\eSTsnmp.dll
2007-10-08 18:37 . 2007-10-25 00:43 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
1999-04-23 22:22 . 1999-04-23 22:22 12 --sha-w- c:\windows\system\WININETICMP32.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-03-03 3179952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 19:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 16:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2003-03-13 03:41 77824 ----a-w- c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Architect]
2001-05-08 02:35 53248 ----a-w- c:\program files\Desktop Architect\datray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-11-02 17:03 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2004-10-15 19:27 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
2008-04-14 13:42 10752 ----a-w- c:\windows\system32\dumprep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 03:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21433:TCP"= 21433:TCP:BitComet 21433 TCP
"21433:UDP"= 21433:UDP:BitComet 21433 UDP
"10086:TCP"= 10086:TCP:BitComet 10086 TCP
"10086:UDP"= 10086:UDP:BitComet 10086 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 35168]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 10:16 AM 472280]
R3 st3tgbus;st3tgbus;c:\windows\system32\drivers\st3tgbus.sys [3/12/2003 8:37 PM 8640]
R3 st3tiger;st3tiger;c:\windows\system32\drivers\st3tiger.sys [3/12/2003 8:38 PM 99168]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [7/18/2006 1:40 PM 99840]
S3 TwUSBD;TwUSBD;c:\windows\system32\drivers\TwUSBD.sys [9/29/2003 11:01 AM 16000]
S4 DSClSvc;DocSTAR Client Service;c:\docstar\dsclsv.exe --> c:\docstar\dsclsv.exe [?]
S4 DSHost;DocSTAR Host Service;c:\docstar\dshostsv.exe --> c:\docstar\dshostsv.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/14/2007 3:21 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2003-03-31 13:42]

2010-04-12 c:\windows\Tasks\User_Feed_Synchronization-{155386EF-2B6D-4A4F-B31D-811CD07EED1F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sherrie\Application Data\Mozilla\Firefox\Profiles\0iu94k3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com
FF - component: c:\documents and settings\Sherrie\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Sherrie\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
AddRemove-HijackThis - f:\inetpub\wwwroot\tools\HijackThis.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A019C88]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> 0x8a019c88
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7858bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7847a0d
SendHandler -> NDIS.sys @ 0xf785bb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3204)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ACS.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\bmwebcfg.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-12 13:38:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 20:38

Pre-Run: 10,475,917,312 bytes free
Post-Run: 10,758,602,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 933AAB77CB16C429975B4ABA68964DED

Edited by sherriec09, 12 April 2010 - 03:45 PM.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 13 April 2010 - 07:48 AM

Hi,

Did you already run DeFogger to disable your CD Emulation drivers?

++++++++++++++++++

1. Go to Start > Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • mbr.log will pop up, please post the contents in your reply.



2. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 April 2010 - 11:57 AM

yes I ran Defogger first.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A982498]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a982498
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

Will edit and add mbam log. running now

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3984

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/13/2010 11:56:13 AM
mbam-log-2010-04-13 (11-56-13).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|Z:\|)
Objects scanned: 229981
Time elapsed: 58 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mystery Case Files - Dire Grove Collector's Edition\Uninstall.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sherrie\Application Data\IDM\DwnlData\Sherrie\antimalware-pro_89\antimalware-pro.php (Rogue.Installer) -> Quarantined and deleted successfully.

Edited by sherriec09, 13 April 2010 - 02:03 PM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 13 April 2010 - 05:37 PM

Let's use the OTLPE CD that we used on your other PC (desktop).


Using a clean computer, open a notepad and copy-paste the entire contents of the coded text below and save it in your flash/removable drive. Do not include the word "Code"
CODE
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav


Next, boot your infected computer again using OTLPE CD then insert your flash/removable drive.
  1. Please reopen on your desktop (currently booted using OTLPE CD).
  2. Copy and Paste the contents of the notepad that you saved in your flash/removable drive into the textbox. Do not include the word "Code"
  3. Push
  4. A report will open. Copy and Paste that report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 April 2010 - 09:27 PM

OTL logfile created on: 4/13/2010 8:10:31 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.00 Gb Total Space | 9.68 Gb Free Space | 32.26% Space Free | Partition Type: NTFS
Drive D: | 7.45 Gb Total Space | 3.63 Gb Free Space | 48.68% Space Free | Partition Type: FAT32
Drive E: | 63.16 Gb Total Space | 38.65 Gb Free Space | 61.20% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (RoxLiveShare9)
SRV - File not found [On_Demand] -- -- (MSSQLServerADHelper)
SRV - File not found [Disabled] -- -- (DSClSvc)
SRV - [2009/10/07 13:21:14 | 000,020,680 | ---- | M] (ESET) [On_Demand] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/10/07 13:16:50 | 000,472,280 | ---- | M] (ESET) [Auto] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2007/11/21 18:22:55 | 000,000,460 | ---- | M] () [Disabled] -- C:\WINDOWS\DSHOST.INI -- (DSHost)
SRV - [2007/02/10 00:39:08 | 000,407,072 | ---- | M] (Acronis) [Auto] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/01/25 14:17:04 | 000,135,168 | ---- | M] (Sprint Spectrum, L.L.C) [Disabled] -- C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe -- (Sprint PCS v3 Utility Service)
SRV - [2005/01/20 17:48:38 | 000,118,784 | ---- | M] (Bytemobile, Inc.) [Auto] -- C:\WINDOWS\System32\bmwebcfg.exe -- (bmwebcfg)
SRV - [2004/12/22 20:50:04 | 000,036,864 | ---- | M] () [Auto] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2004/10/15 15:24:48 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/10/15 15:22:14 | 000,086,016 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/10/15 15:21:38 | 000,139,264 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2004/08/28 04:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (VNUSB)
DRV - File not found [Kernel | On_Demand] -- -- (RimUsb)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - File not found [Kernel | On_Demand] -- -- (aksusb)
DRV - File not found [Kernel | On_Demand] -- -- (akshasp)
DRV - [2010/04/04 00:47:05 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/10/07 13:18:36 | 000,035,168 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/10/07 13:12:22 | 000,054,184 | ---- | M] (ESET) [Kernel | System] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2009/10/07 13:11:10 | 000,040,824 | ---- | M] (ESET) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/01/05 00:34:36 | 000,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/12/15 17:50:14 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2007/12/15 17:50:14 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2007/12/15 17:50:05 | 000,114,048 | ---- | M] (Acronis) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\snapman.sys -- (snapman)
DRV - [2007/11/13 12:28:52 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2007/03/04 17:20:47 | 000,094,080 | ---- | M] (VSO Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ezplay.sys -- (ezplay)
DRV - [2007/01/15 20:18:30 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2006/07/18 16:40:40 | 000,099,840 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mr97310v.sys -- (MR97310_VGA_DUAL_CAMERA)
DRV - [2005/11/27 19:48:46 | 000,015,890 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2005/06/02 07:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2005/05/31 09:33:00 | 000,100,605 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2005/05/31 09:33:00 | 000,098,716 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2005/05/31 09:33:00 | 000,086,876 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2005/05/31 09:33:00 | 000,034,845 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2005/05/31 09:33:00 | 000,025,725 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2005/05/31 09:33:00 | 000,015,069 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2005/05/31 09:33:00 | 000,006,365 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2005/05/31 09:33:00 | 000,004,125 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2005/05/31 09:33:00 | 000,002,241 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2005/05/13 14:37:28 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2005/05/13 14:37:20 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2005/04/28 20:26:48 | 000,037,248 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ESD7SK.sys -- (ESDCR)
DRV - [2005/04/27 14:53:06 | 000,074,112 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ESM7SK.sys -- (ESMCR)
DRV - [2005/04/22 07:22:00 | 000,088,352 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2005/04/21 06:56:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2005/04/19 14:40:52 | 002,317,504 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/15 17:46:04 | 000,029,056 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2005/04/12 20:19:42 | 001,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/03/09 13:14:34 | 000,008,704 | ---- | M] (TOSHIBA ) [Kernel | System] -- C:\WINDOWS\system32\drivers\TPwSav.sys -- (TPwSav)
DRV - [2005/03/04 15:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/01/13 14:04:18 | 000,057,984 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\EMS7SK.sys -- (EMSCR)
DRV - [2004/10/29 22:48:10 | 003,222,784 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/10/15 15:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/12 12:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/08/04 02:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/31 11:05:04 | 000,006,400 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | System] -- C:\WINDOWS\system32\drivers\EPIOMngr.sys -- (SerTVOutCtlr)
DRV - [2004/05/09 00:38:06 | 000,101,833 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/09/29 14:01:52 | 000,016,000 | ---- | M] (Tapwave, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\TwUSBD.sys -- (TwUSBD)
DRV - [2003/06/11 12:53:22 | 000,006,867 | ---- | M] () [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (TBiosDrv)
DRV - [2003/03/12 23:38:24 | 000,099,168 | ---- | M] ( ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\st3tiger.sys -- (st3tiger)
DRV - [2003/03/12 23:37:56 | 000,008,640 | ---- | M] ( ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\st3tgbus.sys -- (st3tgbus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.KINNIKUMOBILE_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Sherrie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/24 16:37:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 01:08:48 | 000,000,000 | ---D | M]

[2010/02/25 22:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.KINNIKUMOBILE\Application Data\Mozilla\Extensions
[2010/02/25 22:40:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.KINNIKUMOBILE\Application Data\Mozilla\Firefox\Profiles\eq6wf59e.default\extensions
[2010/02/25 22:40:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator.KINNIKUMOBILE\Application Data\Mozilla\Firefox\Profiles\eq6wf59e.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/12 05:07:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/23 01:48:42 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2007/10/08 14:37:00 | 000,245,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\unicows.dll

O1 HOSTS File: ([2010/04/12 16:31:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll File not found
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKU\Administrator.KINNIKUMOBILE_ON_C..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe (-)
O4 - HKU\Sherrie_ON_C..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe (Tonec Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator.KINNIKUMOBILE_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Sherrie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Sherrie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Sherrie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab (StagingUI Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab (ZoneBuddy Class)
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} http://www.xblock.com/download/xclean_micro.exe (Reg Error: Key error.)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab (ZonePAChat Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab (ZPA_TexasHoldem Object)
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab (Reg Error: Value error.)
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab (IWinAmpActiveX Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab (ZoneIntro Class)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab41227.cab (StadiumProxy Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O30 - LSA: Security Packages - (uthentication Packages settings) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/13 12:33:25 | 000,000,024 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/04/04 01:37:36 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/04/03 22:37:38 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2010/04/04 01:37:37 | 000,000,000 | R--D | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/11/28 06:52:27 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/12 16:14:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/12 15:40:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/12 15:40:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/12 15:40:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/12 15:40:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/12 15:40:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/12 15:39:51 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/11 16:47:12 | 005,918,776 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sherrie\Desktop\mbam-setup-1.45.exe
[2010/04/11 15:14:38 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/11 01:08:57 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/04/11 01:08:48 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/11 01:08:48 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/11 01:08:48 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/11 01:08:47 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/11 01:08:47 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/11 01:06:35 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/11 01:05:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Sun
[2010/04/10 20:34:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\My Documents\keshi pics lrg member
[2010/04/09 02:57:34 | 000,000,000 | ---D | C] -- C:\Temp
[2010/04/09 02:53:23 | 000,335,872 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\dvdauthor.ocx
[2010/04/09 02:53:23 | 000,233,472 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomdvdimg.dll
[2010/04/09 02:53:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\rmdll
[2010/04/09 02:53:22 | 002,078,952 | ---- | C] (Rocket Division Software) -- C:\WINDOWS\System32\starburnx.dll
[2010/04/09 02:53:22 | 001,470,464 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscommpgenc.dll
[2010/04/09 02:53:22 | 000,888,832 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomflvdec.dll
[2010/04/09 02:53:22 | 000,376,832 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomsplitter.dll
[2010/04/09 02:53:22 | 000,339,968 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomqtde.dll
[2010/04/09 02:53:22 | 000,143,360 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomqtenc.dll
[2010/04/09 02:53:22 | 000,135,168 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomrmencoder.dll
[2010/04/09 02:53:22 | 000,086,016 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\viscomframe.dll
[2010/04/09 02:53:22 | 000,081,920 | ---- | C] (Viscom Software) -- C:\WINDOWS\System32\viscomwave.dll
[2010/04/09 02:53:21 | 000,110,592 | ---- | C] (Viscom Software) -- C:\WINDOWS\System32\viscomaudioencoder.dll
[2010/04/09 02:53:21 | 000,098,304 | ---- | C] (Viscom Software) -- C:\WINDOWS\System32\viscomaudiodata.dll
[2010/04/09 02:53:19 | 000,344,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr70.dll
[2010/04/09 02:53:19 | 000,266,240 | ---- | C] (Viscom Software www.viscomsoft.com) -- C:\WINDOWS\System32\VideoEdit.ocx
[2010/04/09 02:53:19 | 000,089,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB5DB.DLL
[2010/04/09 02:53:16 | 000,000,000 | ---D | C] -- C:\Program Files\Cheetah Burner
[2010/04/09 02:51:18 | 019,748,544 | ---- | C] (Cheetah Websites Corporation) -- C:\Documents and Settings\Sherrie\Desktop\CheetahDVDBurner.exe
[2010/04/08 18:20:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Desktop\Keyfinder.2.0.1
[2010/04/07 19:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Silverback Productions
[2010/04/07 19:23:17 | 000,000,000 | ---D | C] -- C:\Program Files\Empress of the Deep
[2010/04/07 01:17:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\Game Mill Files
[2010/04/06 00:28:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Real
[2010/04/05 03:14:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Playrix Entertainment
[2010/04/05 03:13:30 | 000,000,000 | ---D | C] -- C:\Program Files\Fishdom
[2010/04/05 00:40:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Absolutist
[2010/04/05 00:37:40 | 000,000,000 | ---D | C] -- C:\Program Files\Green Moon
[2010/04/04 01:37:36 | 000,000,000 | R--D | C] -- C:\autorun.inf
[2010/04/04 00:46:33 | 000,000,000 | ---D | C] -- C:\Program Files\LSoft Technologies
[2010/04/03 01:27:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Big Fish Games
[2010/04/03 01:25:37 | 000,000,000 | ---D | C] -- C:\Program Files\Mystery Case Files - Dire Grove Collector's Edition
[2010/04/02 01:53:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Virtual Prophecy
[2010/04/02 01:50:32 | 000,000,000 | ---D | C] -- C:\Program Files\Mishap An Accidental Haunting
[2010/04/02 00:20:40 | 000,000,000 | ---D | C] -- C:\Program Files\Edens Quest
[2010/04/01 03:47:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mah Jong Quest
[2010/04/01 01:16:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Artifex Mundi
[2010/04/01 01:14:56 | 000,000,000 | ---D | C] -- C:\Program Files\Joan Jade and the Gates of Xibalba
[2010/03/25 16:32:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\Yahoo!
[2010/03/19 09:27:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/18 20:22:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\Temp
[2010/03/18 20:13:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\DivX
[2010/03/18 20:13:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Sherrie\My Documents\My Videos
[2010/03/18 20:13:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\My Documents\DivX Movies
[2010/03/18 20:12:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/03/18 20:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/03/18 20:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\Google
[2010/03/18 20:05:27 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/03/17 00:20:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\Application Data\Freezetag
[2010/03/16 23:28:37 | 000,413,696 | ---- | C] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2010/03/16 23:28:37 | 000,110,592 | ---- | C] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2010/03/16 23:28:37 | 000,000,000 | ---D | C] -- C:\Program Files\OpenAL
[2010/03/16 23:28:31 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2010/03/16 23:28:28 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2010/03/16 23:28:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/03/16 20:07:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Sherrie\PrivacIE
[2010/03/16 20:02:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sherrie\My Documents\Turbo Lister
[2006/01/03 14:09:28 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[2003/03/12 23:38:24 | 000,099,168 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3tiger.sys
[2003/03/12 23:37:56 | 000,008,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3tgbus.sys
[2003/03/12 23:37:42 | 000,054,784 | ---- | C] ( ) -- C:\WINDOWS\daemon.dll
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[479 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[12 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/13 21:58:54 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/04/13 21:58:54 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\LocalService\ntuser.dat
[2010/04/13 21:58:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/13 21:58:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/13 21:58:31 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Sherrie\ntuser.ini
[2010/04/13 21:58:30 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Sherrie\NTUSER.DAT
[2010/04/13 21:57:39 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/13 21:57:03 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{155386EF-2B6D-4A4F-B31D-811CD07EED1F}.job
[2010/04/13 14:56:41 | 001,637,658 | -H-- | M] () -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\IconCache.db
[2010/04/12 16:32:08 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/12 16:31:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/12 16:14:59 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/12 15:37:11 | 003,912,873 | R--- | M] () -- C:\Documents and Settings\Sherrie\Desktop\ComboFix.exe
[2010/04/12 15:36:53 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\rkill.com
[2010/04/12 06:00:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2010/04/11 16:48:11 | 005,918,776 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sherrie\Desktop\mbam-setup-1.45.exe
[2010/04/11 15:15:11 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\Administrator.KINNIKUMOBILE\ntuser.dat
[2010/04/11 01:47:03 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Sherrie\defogger_reenable
[2010/04/11 01:42:50 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\gmer.zip
[2010/04/11 01:41:12 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\dds.scr
[2010/04/11 01:39:48 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Defogger.exe
[2010/04/11 01:08:30 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/11 01:08:30 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/11 01:08:29 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/11 01:08:29 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/11 01:08:28 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/11 01:02:09 | 080,394,008 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\jdk-6u19-windows-i586.exe
[2010/04/09 02:51:50 | 019,748,544 | ---- | M] (Cheetah Websites Corporation) -- C:\Documents and Settings\Sherrie\Desktop\CheetahDVDBurner.exe
[2010/04/08 18:19:24 | 000,337,932 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\keyfinder.2.0.1.rar
[2010/04/07 19:24:08 | 000,000,845 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Empress of the Deep.lnk
[2010/04/05 03:14:01 | 000,000,677 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Fishdom.lnk
[2010/04/04 05:50:03 | 000,000,416 | ---- | M] () -- C:\Documents and Settings\Sherrie\My Documents\spider.sav
[2010/04/04 02:17:19 | 000,000,375 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2010/04/04 01:42:02 | 000,000,771 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/04 01:42:02 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/04/04 01:35:41 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Flash_Disinfector.exe
[2010/04/04 00:52:29 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Active@ ISO Burner.lnk
[2010/04/04 00:47:05 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/04/03 01:27:39 | 000,000,970 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Shortcut to MCF6.lnk
[2010/04/03 01:26:24 | 000,000,970 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Mystery Case Files - Dire Grove Collector's Edition.lnk
[2010/04/02 01:53:12 | 000,004,096 | ---- | M] () -- C:\WINDOWS\d3dx.dat
[2010/04/02 00:49:04 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Sherrie\My Documents\Eset Sieuchin13579.doc
[2010/04/01 03:48:00 | 000,000,541 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Mah Jong Quest.lnk
[2010/03/30 03:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 03:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/18 20:13:58 | 000,001,486 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\DivX Movies.lnk
[2010/03/18 19:54:36 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/18 19:54:35 | 000,006,656 | ---- | M] () -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/18 15:04:16 | 000,021,329 | ---- | M] () -- C:\Documents and Settings\Sherrie\My Documents\Dunnigan FPD.pdf
[2010/03/16 23:28:37 | 000,413,696 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2010/03/16 23:28:37 | 000,110,592 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2010/03/15 21:12:34 | 000,001,497 | ---- | M] () -- C:\Documents and Settings\Sherrie\Desktop\Calculator.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[479 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/12 16:14:59 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/12 16:14:56 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/12 15:40:15 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/12 15:40:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/12 15:40:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/12 15:40:15 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/12 15:40:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/12 15:37:04 | 003,912,873 | R--- | C] () -- C:\Documents and Settings\Sherrie\Desktop\ComboFix.exe
[2010/04/12 15:36:52 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\rkill.com
[2010/04/11 01:58:13 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\gmer.exe
[2010/04/11 01:46:49 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Sherrie\defogger_reenable
[2010/04/11 01:42:47 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\gmer.zip
[2010/04/11 01:40:40 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\dds.scr
[2010/04/11 01:39:48 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Defogger.exe
[2010/04/11 00:59:03 | 080,394,008 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\jdk-6u19-windows-i586.exe
[2010/04/09 02:53:23 | 000,054,612 | ---- | C] () -- C:\WINDOWS\System32\starburnx.tlb
[2010/04/09 02:53:22 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\viscomgifenc.dll
[2010/04/09 02:53:22 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\viscomtran.dll
[2010/04/09 02:53:21 | 006,963,712 | ---- | C] () -- C:\WINDOWS\System32\videotrans.dll
[2010/04/09 02:53:20 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2010/04/08 18:19:23 | 000,337,932 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\keyfinder.2.0.1.rar
[2010/04/07 19:24:08 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Empress of the Deep.lnk
[2010/04/05 03:14:01 | 000,000,677 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Fishdom.lnk
[2010/04/04 20:33:58 | 000,866,466 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\PICT0126.JPG
[2010/04/04 20:33:58 | 000,810,686 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\PICT0125.JPG
[2010/04/04 20:33:58 | 000,752,183 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\PICT0004.JPG
[2010/04/04 05:50:03 | 000,000,416 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\spider.sav
[2010/04/04 01:35:39 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Flash_Disinfector.exe
[2010/04/04 00:52:29 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Active@ ISO Burner.lnk
[2010/04/03 01:27:39 | 000,000,970 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Shortcut to MCF6.lnk
[2010/04/03 01:26:24 | 000,000,970 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Mystery Case Files - Dire Grove Collector's Edition.lnk
[2010/04/02 01:53:12 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2010/04/02 00:49:03 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\Eset Sieuchin13579.doc
[2010/04/01 03:48:00 | 000,000,541 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\Mah Jong Quest.lnk
[2010/03/28 18:58:00 | 000,834,903 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\PICT0082.JPG
[2010/03/28 18:58:00 | 000,813,628 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\PICT0081.JPG
[2010/03/28 18:58:00 | 000,790,981 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\PICT0083.JPG
[2010/03/18 20:13:58 | 000,001,486 | ---- | C] () -- C:\Documents and Settings\Sherrie\Desktop\DivX Movies.lnk
[2010/03/18 19:54:18 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Sherrie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/18 15:05:42 | 000,021,329 | ---- | C] () -- C:\Documents and Settings\Sherrie\My Documents\Dunnigan FPD.pdf
[2010/03/12 21:01:16 | 000,001,300 | ---- | C] () -- C:\WINDOWS\System32\cool.dll
[2009/05/09 18:56:03 | 000,215,144 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2008/11/28 21:29:33 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/09/15 20:14:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/15 20:12:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/08/05 02:07:20 | 000,065,216 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll
[2008/03/08 02:39:38 | 000,040,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\Usbkey.sys
[2008/03/08 02:39:34 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\NWKL2_32.DLL
[2008/03/08 02:39:34 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\KL2DLL32.DLL
[2008/03/08 02:39:34 | 000,012,480 | ---- | C] () -- C:\WINDOWS\System32\KL2N.DLL
[2008/03/08 02:39:34 | 000,008,968 | ---- | C] () -- C:\WINDOWS\System32\KL2DLL.DLL
[2008/03/08 02:39:34 | 000,007,440 | ---- | C] () -- C:\WINDOWS\System32\ppmon.dll
[2007/12/21 11:21:56 | 000,035,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2007/11/13 14:31:30 | 000,004,708 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2007/11/13 12:29:58 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\w048t32w.dll
[2007/11/13 12:29:58 | 000,138,240 | ---- | C] () -- C:\WINDOWS\System32\w043t32w.dll
[2007/11/13 12:29:58 | 000,128,000 | ---- | C] () -- C:\WINDOWS\System32\w046t32w.dll
[2007/11/13 12:29:58 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\w801t32w.dll
[2007/11/13 12:29:58 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\w770t32w.dll
[2007/11/13 12:29:57 | 000,240,128 | ---- | C] () -- C:\WINDOWS\System32\g610t32w.dll
[2007/11/13 12:29:57 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\g615t32w.dll
[2007/11/13 12:29:57 | 000,223,232 | ---- | C] () -- C:\WINDOWS\System32\w042t32w.dll
[2007/11/13 12:29:57 | 000,218,624 | ---- | C] () -- C:\WINDOWS\System32\w019t32w.dll
[2007/11/13 12:29:57 | 000,185,856 | ---- | C] () -- C:\WINDOWS\System32\w007t32w.dll
[2007/11/13 12:29:57 | 000,169,472 | ---- | C] () -- C:\WINDOWS\System32\w037t32w.dll
[2007/11/13 12:29:57 | 000,164,864 | ---- | C] () -- C:\WINDOWS\System32\w033t32w.dll
[2007/11/13 12:29:57 | 000,107,520 | ---- | C] () -- C:\WINDOWS\System32\w001t32w.dll
[2007/11/13 12:29:57 | 000,105,984 | ---- | C] () -- C:\WINDOWS\System32\w010t32w.dll
[2007/11/13 12:29:57 | 000,105,984 | ---- | C] () -- C:\WINDOWS\System32\w008t32w.dll
[2007/11/13 12:29:57 | 000,101,888 | ---- | C] () -- C:\WINDOWS\System32\w015t32w.dll
[2007/11/13 12:29:57 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\w040t32w.dll
[2007/11/13 12:29:57 | 000,091,648 | ---- | C] () -- C:\WINDOWS\System32\g610f32w.dll
[2007/11/13 12:29:57 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\w006t32w.dll
[2007/11/13 12:29:56 | 000,254,464 | ---- | C] () -- C:\WINDOWS\System32\g521t32w.dll
[2007/11/13 12:29:56 | 000,236,544 | ---- | C] () -- C:\WINDOWS\System32\g606t32w.dll
[2007/11/13 12:29:56 | 000,123,904 | ---- | C] () -- C:\WINDOWS\System32\g521f32w.dll
[2007/11/13 12:29:56 | 000,105,984 | ---- | C] () -- C:\WINDOWS\System32\g502f32w.dll
[2007/11/13 12:29:53 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\binder.dll
[2007/11/13 12:29:30 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\dwsvclnt.dll
[2007/11/13 12:28:53 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2007/11/13 12:25:09 | 000,000,460 | ---- | C] () -- C:\WINDOWS\DSHOST.INI
[2007/11/13 12:25:03 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\wisemsg.dll
[2007/07/10 21:48:50 | 000,000,054 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2007/05/17 21:56:08 | 000,114,688 | R--- | C] () -- C:\WINDOWS\System32\VSHP2600.DLL
[2007/05/17 21:56:00 | 011,194,368 | R--- | C] () -- C:\WINDOWS\System32\ZHHP_RES.DLL
[2007/05/17 21:55:59 | 000,749,568 | R--- | C] () -- C:\WINDOWS\System32\AGISSI.DLL
[2007/04/01 17:38:56 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2007/03/10 15:27:47 | 000,000,066 | ---- | C] () -- C:\WINDOWS\ESPR200.ini
[2007/02/24 00:23:49 | 000,034,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\WOWXT_kern_i386.sys
[2007/02/24 00:23:49 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2007/02/24 00:12:48 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/02/15 01:24:49 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/15 01:24:38 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/11/13 01:53:58 | 000,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2006/11/01 02:54:30 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/11/01 02:52:38 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/09/26 11:59:14 | 000,307,200 | ---- | C] () -- C:\WINDOWS\System32\snmpv3pp.dll
[2006/09/26 11:59:14 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\SC3PRCFG.DLL
[2006/09/26 11:59:11 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\GLCFG.DLL
[2006/07/15 23:28:07 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/05/26 09:29:14 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2006/04/22 15:15:24 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\eSTsnmp.dll
[2006/04/03 08:26:36 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2006/01/26 19:02:53 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\Snmp_pp.dll
[2006/01/03 14:09:31 | 000,078,922 | ---- | C] () -- C:\WINDOWS\crtslv.dll
[2006/01/03 14:09:28 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\pg32conv.dll
[2005/12/08 23:06:55 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/12/08 20:38:33 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2005/12/04 19:20:48 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator.KINNIKUMOBILE\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/11/29 10:20:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2005/11/28 20:10:52 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2005/11/27 20:37:06 | 000,000,856 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/27 20:23:01 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/11/27 20:23:01 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/11/27 20:23:01 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/11/27 20:23:01 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/11/27 20:20:36 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL
[2005/11/27 20:09:09 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/11/27 20:00:05 | 000,000,218 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/11/27 19:52:20 | 000,356,352 | ---- | C] () -- C:\WINDOWS\EMCRI.dll
[2005/11/27 19:50:58 | 000,000,244 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/14 10:22:22 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/11 09:58:38 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\wmatime.dll
[2005/04/20 19:59:06 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2004/08/12 12:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2004/06/10 11:01:12 | 000,160,016 | ---- | C] () -- C:\WINDOWS\System32\awmpi.dll
[2003/05/15 02:39:50 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/15 00:58:38 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\v2k2_dec.dll

========== LOP Check ==========

[2006/02/03 03:18:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2007/04/01 17:38:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\pdf995
[2010/04/05 00:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Absolutist
[2010/04/01 01:16:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Artifex Mundi
[2010/04/03 01:27:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Big Fish Games
[2010/03/02 03:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\calibre
[2010/04/13 12:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\DMCache
[2010/03/07 19:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Dragon Altar Games
[2010/03/04 03:45:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\EA
[2010/03/17 00:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Freezetag
[2010/03/13 20:13:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\IDM
[2010/04/05 03:14:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Playrix Entertainment
[2010/04/07 19:25:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Silverback Productions
[2010/03/07 19:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\TitanicMystery
[2010/04/02 01:53:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sherrie\Application Data\Virtual Prophecy
[2010/04/12 06:00:00 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\defrag.job
[2010/04/13 21:57:03 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{155386EF-2B6D-4A4F-B31D-811CD07EED1F}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 05:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 09:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 05:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/14 09:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/11/03 20:36:01 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys
[2008/04/14 04:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/14 04:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2008/04/14 04:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 03:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 05:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 09:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 05:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/14 09:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/11/03 20:36:01 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 09:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 09:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2008/04/14 09:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 04:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 09:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 09:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2008/04/14 09:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 04:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 04:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 09:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 09:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
[2008/04/14 09:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< CREATERESTOREPOINT >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/06/20 13:46:57 | 000,147,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll
[2010/02/25 14:54:36 | 011,070,976 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll
[2010/02/25 02:24:35 | 001,985,536 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll
[2008/04/14 09:42:02 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll
[2008/04/14 09:42:04 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll
[2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll
[479 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/11/27 10:04:44 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/11/27 10:04:44 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/11/27 10:04:44 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 14 April 2010 - 05:06 AM

Using a clean computer, open a notepad and copy-paste the entire contents of the coded text below and save it in your flash/removable drive. Do not include the word "Code"
CODE
:files
C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace

:Commands
[Reboot]



Next, boot your infected computer again using OTLPE CD then insert your flash/removable drive.
  1. Please reopen on your desktop (currently booted using OTLPE CD).
  2. Copy and Paste the contents of the notepad that you saved in your flash/removable drive into the textbox. Do not include the word "Code"
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

Let the PC reboot using OTLPE CD and get the report located at C:\_OTL\MovedFiles
Then remove the CD and reboot in normal Windows.
After the computer restarted, wait for about 5 minutes and do the following:

Go to Start > Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • mbr.log will pop up, please post the contents in your reply.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 April 2010 - 02:12 PM

Sempai,
I have saved the otl log twice to my flash drive, but when I can't find it when I reboot in windows and search the flash drive. I have tried twice, booting up to otl and saving it to the flash and it pops up asking me if I want to overwrite the existing file, I clicked yes, but it still can't find it when I boot to windows. It did say that the fix was completed successfully though. blink.gif
Okay, this is weird. I went through my computer to the flash drive this time and it was there! It just wouldn't show up when I tried to pull it with Notepad.... Here it is:

========== FILES ==========
File C:\WINDOWS\system32\drivers\atapi.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\atapi.sys
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.37.1 log created on 04142010_134724
-------------


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA7E530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8aa7e530
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

Edited by sherriec09, 14 April 2010 - 02:49 PM.


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 14 April 2010 - 05:35 PM

Download and run HAMeb_check.exe. Post the contents of the resulting log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 April 2010 - 08:16 PM

ECHO is off.
Wed 04/14/2010 at 18:15:23.13

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89F17C78]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89f17c78
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:52 AM

Posted 15 April 2010 - 07:54 AM

1. Now we need to use the Recovery Console. Please print or make a copy of the next steps so you will not make any mistakes.
  1. Please restart your computer.
  2. During restart, you will see an option on which operating system to use.
  3. Please use arrow key and choose Microsoft Windows Recovery Console and hit enter.
  4. The Recovery Console will start and ask you which Windows installation you would like to log onto.
    Note: If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
  5. It will then prompt you for the Administrator's password. If there is no password, simply press enter.
  6. You will now be presented with a C:\Windows> prompt
  7. Please type the bolded text below and hit enter key:
    fixmbr
  8. type exit to exit the command prompt and restart your computer normally.


2. Once the PC restarted, wait for about 5 minutes and do the following:

Go to Start > Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • mbr.log will pop up, please post the contents in your reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 sherriec09

sherriec09
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 15 April 2010 - 12:23 PM

You didn't mention what to do if a problem pops up:

***CAUTION***
This computer appears to have a non-standard or invalid master boot record.

FIXMBR may damage your partition tables if you proceed.

This could cause all the partitions on the current hard disk to become innaccesible.

If you are not having problems accessing your drive, do not continue.

What does this mean Sempai and could it really harm my hard drive?

I dont' understand.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users