Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv Request 2


  • This topic is locked This topic is locked
20 replies to this topic

#1 kf6700

kf6700

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 06 May 2010 - 09:59 AM

Hello - need help on a virus removal - Nortons is detecting an intrusion attempt ~every 30 mins that it identifies as "HTTPS Tidserv Request 2". Norton detects the intrusion attempts and also detects "Backdoor.Tidserv.l!inf", but doesn't offer any effective removal instructions. Malwarebyte scans run clean. TDsskiller scans find my 'iastor' driver is infected by TDSS rootkit, but several attempts to remove on reboot have failed.

DDS logs and GMER log follow:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kevin Fredrich at 10:13:56.65 on Thu 05/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1366 [GMT -5:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\MCUI32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\MCUI32.EXE
C:\Documents and Settings\Kevin Fredrich\Desktop\Defogger.exe
C:\Documents and Settings\Kevin Fredrich\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mg4.mail.yahoo.com/dc/launch?.gx=1&.rand=7p4s1kqcp1hmp
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Cxayicitaq] rundll32.exe "c:\windows\agarabul.dll",Startup
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\PolicyLSP.dll
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\aibelive\voicec~1\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevinf~1\applic~1\mozilla\firefox\profiles\85dxlymc.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg4.mail.yahoo.com/dc/launch?sysreq=ignore
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\kevin fredrich\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: XULRunner: {08D1D626-A5B2-45A9-89FC-5BA47C48D569} - c:\documents and settings\kevin fredrich\local settings\application data\{08D1D626-A5B2-45A9-89FC-5BA47C48D569}
FF - HiddenExtension: XULRunner: {4160D9F5-A454-4E96-B041-F73A7E9BBD2D} - c:\documents and settings\kathy fredrich\local settings\application data\{4160D9F5-A454-4E96-B041-F73A7E9BBD2D}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100429.001\IDSXpx86.sys [2010-5-5 329592]
R1 policyappblockservice;Parental Control Application Filter;c:\program files\parental control\bin\policyappblock.sys [2009-2-2 5120]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-7 55152]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-20 304464]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R2 privoxy;privoxy;c:\program files\privoxy\privoxy.exe --service --> c:\program files\privoxy\privoxy.exe --service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-1 102448]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-9 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-20 20952]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100505.021\NAVENG.SYS [2010-5-5 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100505.021\NAVEX15.SYS [2010-5-5 1324720]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-7-18 9472]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-4-1 39040]
S0 cqohqio;cqohqio; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [2009-5-7 1684736]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-7-20 18864]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-7 232872]
S4 btdhs;btdhs;c:\windows\system32\drivers\iantge.sys [2010-4-20 54016]
S4 kprkqi;kprkqi;c:\windows\system32\drivers\nvnre.sys [2010-4-20 54016]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2010-05-06 15:12:01 0 ----a-w- c:\documents and settings\kevin fredrich\defogger_reenable
2010-05-06 14:00:29 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-05-06 14:00:29 327192 ----a-w- c:\windows\system32\drivers\tsk414.tmp
2010-05-05 21:17:31 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-05-05 21:17:31 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-25 21:20:50 0 d-----w- c:\program files\common files\DivX Shared
2010-04-25 21:18:48 0 d-----w- c:\program files\DivX
2010-04-25 21:18:27 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-04-20 21:47:27 54016 ----a-w- c:\windows\system32\drivers\nvnre.sys
2010-04-20 21:39:04 54016 ----a-w- c:\windows\system32\drivers\iantge.sys
2010-04-20 20:48:22 0 d-----w- c:\docume~1\kevinf~1\applic~1\Malwarebytes
2010-04-20 20:48:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 20:48:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-20 20:48:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 20:48:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 16:18:39 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-20 16:17:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 16:17:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 15:41:12 120 ----a-w- c:\windows\Mpepujuzes.dat
2010-04-20 15:41:12 0 ----a-w- c:\windows\Kgugev.bin
2010-04-20 15:40:43 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-20 15:40:43 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-20 15:40:28 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-20 15:40:28 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-20 15:39:18 0 d-----w- c:\docume~1\kevinf~1\applic~1\70377CA3D6ECB2E251F2A42B278C0F2B

==================== Find3M ====================

2010-05-05 23:26:31 327192 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-31 01:58:04 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-31 01:58:04 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-31 01:58:04 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-05-08 14:07:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-07-17 11:10:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071720090718\index.dat

============= FINISH: 10:16:24.92 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-06 10:44:58
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\KEVINF~1\LOCALS~1\Temp\agkdypob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 89D77AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----





Thanks in advance for the help!

Attached Files


Edited by kf6700, 06 May 2010 - 11:08 AM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 06 May 2010 - 02:18 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *
  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 09 May 2010 - 03:26 PM

Ran combofix per your instructions. PC is performing well - no noticable changes. Here is the log:

ComboFix 10-05-08.03 - Kevin Fredrich 05/09/2010 15:04:54.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1649 [GMT -5:00]
Running from: c:\documents and settings\Kevin Fredrich\Desktop\CF.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kathy Fredrich\Local Settings\Application Data\{4160D9F5-A454-4E96-B041-F73A7E9BBD2D}
c:\documents and settings\Kathy Fredrich\Local Settings\Application Data\{4160D9F5-A454-4E96-B041-F73A7E9BBD2D}\chrome.manifest
c:\documents and settings\Kathy Fredrich\Local Settings\Application Data\{4160D9F5-A454-4E96-B041-F73A7E9BBD2D}\chrome\content\_cfg.js
c:\documents and settings\Kathy Fredrich\Local Settings\Application Data\{4160D9F5-A454-4E96-B041-F73A7E9BBD2D}\chrome\content\overlay.xul
c:\documents and settings\Kathy Fredrich\Local Settings\Application Data\{4160D9F5-A454-4E96-B041-F73A7E9BBD2D}\install.rdf
c:\documents and settings\Kevin Fredrich\Application Data\70377CA3D6ECB2E251F2A42B278C0F2B
c:\documents and settings\Kevin Fredrich\Application Data\70377CA3D6ECB2E251F2A42B278C0F2B\enemies-names.txt
c:\documents and settings\Kevin Fredrich\Application Data\70377CA3D6ECB2E251F2A42B278C0F2B\lsrslt.ini
c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\{08D1D626-A5B2-45A9-89FC-5BA47C48D569}
c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\{08D1D626-A5B2-45A9-89FC-5BA47C48D569}\chrome.manifest
c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\{08D1D626-A5B2-45A9-89FC-5BA47C48D569}\chrome\content\_cfg.js
c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\{08D1D626-A5B2-45A9-89FC-5BA47C48D569}\chrome\content\overlay.xul
c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\{08D1D626-A5B2-45A9-89FC-5BA47C48D569}\install.rdf
c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows\agarabul.dll
c:\windows\system32\drivers\iantge.sys
c:\windows\system32\drivers\nvnre.sys
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_btdhs
-------\Legacy_kprkqi
-------\Service_btdhs
-------\Service_kprkqi


((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-09 01:03 . 2010-05-09 01:03 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-05-09 01:03 . 2010-05-09 01:03 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-26 14:58 . 2010-04-26 14:58 -------- d-----w- c:\documents and settings\Kathy Fredrich\Application Data\DivX
2010-04-25 21:23 . 2010-04-25 21:23 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-25 21:23 . 2010-04-25 21:18 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-25 21:23 . 2010-04-25 21:18 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-25 21:23 . 2010-04-25 21:23 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:22 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:22 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:22 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:25 -------- d-----w- c:\documents and settings\Kevin Fredrich\Application Data\DivX
2010-04-25 21:20 . 2010-04-25 21:20 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-25 21:20 . 2010-04-25 21:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-25 21:20 . 2010-04-25 21:20 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-25 21:18 . 2010-04-25 21:23 -------- d-----w- c:\program files\DivX
2010-04-25 21:18 . 2010-04-25 21:18 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-25 21:18 . 2010-04-25 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-22 19:03 . 2010-04-22 19:03 0 ----a-w- c:\windows\nsreg.dat
2010-04-22 19:03 . 2010-04-22 19:03 -------- d-----w- c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\Mozilla
2010-04-21 00:05 . 2010-04-21 00:05 -------- d-----w- c:\documents and settings\Kathy Fredrich\Application Data\Malwarebytes
2010-04-20 20:48 . 2010-04-20 20:48 -------- d-----w- c:\documents and settings\Kevin Fredrich\Application Data\Malwarebytes
2010-04-20 20:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 20:48 . 2010-04-20 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-20 20:48 . 2010-05-03 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 20:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 20:17 . 2006-12-07 15:45 110592 ----a-w- c:\documents and settings\Kevin Fredrich\Application Data\U3\temp\cleanup.exe
2010-04-20 20:16 . 2006-12-07 15:45 3096576 ---ha-w- c:\documents and settings\Kevin Fredrich\Application Data\U3\temp\Launchpad Removal.exe
2010-04-20 20:16 . 2010-04-20 20:16 -------- d-----w- c:\documents and settings\Kevin Fredrich\Application Data\U3
2010-04-20 18:04 . 2010-04-20 18:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-20 16:18 . 2010-04-20 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-20 16:18 . 2010-04-20 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-20 16:17 . 2010-04-20 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 16:17 . 2010-04-20 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 16:17 . 2010-04-20 16:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-20 16:05 . 2010-04-20 16:05 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-20 15:49 . 2010-04-20 15:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-20 15:41 . 2010-05-06 15:29 0 ----a-w- c:\windows\Kgugev.bin
2010-04-20 15:41 . 2010-05-02 21:07 120 ----a-w- c:\windows\Mpepujuzes.dat
2010-04-20 15:40 . 2008-04-14 05:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-20 15:40 . 2008-04-14 05:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-20 15:40 . 2008-04-14 05:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-20 15:40 . 2008-04-14 05:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-11 13:51 . 2010-04-11 13:51 -------- d-sh--w- c:\documents and settings\Katie Fredrich\PrivacIE
2010-04-11 13:51 . 2010-04-11 13:51 -------- d-sh--w- c:\documents and settings\Katie Fredrich\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 01:03 . 2010-05-09 01:03 97280 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp
2010-05-06 22:11 . 2009-07-17 14:47 -------- d-----w- c:\program files\PokerStars
2010-05-06 15:27 . 2009-04-29 10:54 327192 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-05-03 14:39 . 2010-05-03 14:39 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-25 21:21 . 2010-04-25 21:21 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-03-24 07:44 . 2010-05-06 16:57 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\NAVENG.SYS
2010-03-24 07:44 . 2010-05-06 16:57 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\NAVENG32.DLL
2010-03-24 07:44 . 2010-05-06 16:57 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\NAVEX32A.DLL
2010-03-24 07:44 . 2010-05-06 16:57 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\NAVEX15.SYS
2010-03-24 07:44 . 2010-05-06 16:57 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\EECTRL.SYS
2010-03-24 07:44 . 2010-05-06 16:57 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\CCERASER.DLL
2010-03-24 07:44 . 2010-05-06 16:57 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\ECMSVR32.DLL
2010-03-24 07:44 . 2010-05-06 16:57 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\ERASER.SYS
2010-03-21 18:41 . 2009-05-07 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-13 04:39 . 2010-03-13 04:39 79488 ----a-w- c:\documents and settings\Kathy Fredrich\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2009-04-29 10:54 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2009-04-29 10:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2009-04-29 10:54 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-16 14:08 . 2008-04-14 00:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 22:41 . 2010-04-28 15:39 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-12 04:33 . 2009-04-29 10:54 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2009-04-29 10:54 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\ASUS\Eee Docking\eee docking .exe
c:\program files\EeePC\ACPI\asacpisvr .exe
c:\program files\EeePC\ACPI\asepcmon .exe
c:\program files\EeePC\ACPI\astray .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Synaptics\SynTP\synasusacpi .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\hphmon03 .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb04 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2008-07-25 16:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2008-07-25 16:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Cxayicitaq"="c:\windows\agarabul.dll" [N/A]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-7 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Fredrich^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Fredrich^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-19 15:08 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Parental Control]
2009-03-20 22:23 1104384 ----a-w- c:\program files\Parental Control\bin\pcontrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Premium Sound]
c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 10:26 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 10:26 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 10:26 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys [5/5/2010 6:53 PM 329592]
R1 policyappblockservice;Parental Control Application Filter;c:\program files\Parental Control\bin\policyappblock.sys [2/2/2009 3:22 PM 5120]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/20/2010 3:48 PM 304464]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 10:26 AM 117640]
R2 privoxy;privoxy;c:\program files\Privoxy\privoxy.exe --service --> c:\program files\Privoxy\privoxy.exe --service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2009 2:36 AM 102448]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/9/2009 6:17 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/20/2010 3:48 PM 20952]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [7/18/2009 6:56 PM 9472]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [4/1/2009 9:19 PM 39040]
S0 cqohqio;cqohqio; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [5/7/2009 8:19 PM 1684736]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/20/2009 9:53 AM 18864]
S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/7/2009 9:35 PM 232872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\User_Feed_Synchronization-{414BB76E-C0F8-46AE-AB55-F244DA686115}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mg4.mail.yahoo.com/dc/launch?.gx=1&.rand=7p4s1kqcp1hmp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\PolicyLSP.dll
FF - ProfilePath - c:\documents and settings\Kevin Fredrich\Application Data\Mozilla\Firefox\Profiles\85dxlymc.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg4.mail.yahoo.com/dc/launch?sysreq=ignore
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Kevin Fredrich\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1020)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ASUS\Eee Storage\XPClient.dll
c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll
c:\program files\ASUS\Eee Storage\EcaremeDLL.dll
c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PolicyLSP.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Privoxy\privoxy.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-05-09 15:18:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-09 20:18

Pre-Run: 63,644,917,760 bytes free
Post-Run: 63,599,325,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 1087161A7B4E120B34FD77653EE1314D

Edited by kf6700, 09 May 2010 - 03:43 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 10 May 2010 - 02:11 PM

Good evening. smile.gif

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

CODE
RenV::
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\ASUS\Eee Docking\eee docking .exe
c:\program files\EeePC\ACPI\asacpisvr .exe
c:\program files\EeePC\ACPI\asepcmon .exe
c:\program files\EeePC\ACPI\astray .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Synaptics\SynTP\synasusacpi .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\hphmon03 .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb04 .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cxayicitaq"=-


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before and a description of how the PC is behaving.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

c:\windows\Mpepujuzes.dat
c:\windows\Kgugev.bin


When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#5 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 10 May 2010 - 03:12 PM

Updated 5/11: Scans completed as requested. PC performing ok; Norton reported 2 instances of backdoor.tidserv.l!inf last evening(5/10). Logs follow:

ComboFix 10-05-10.02 - Kevin Fredrich 05/10/2010 14:46:02.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1341 [GMT -5:00]
Running from: c:\documents and settings\Kevin Fredrich\Desktop\CF.exe
Command switches used :: c:\documents and settings\Kevin Fredrich\Desktop\cfscript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-09 01:03 . 2010-05-09 01:03 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-05-09 01:03 . 2010-05-09 01:03 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-26 14:58 . 2010-04-26 14:58 -------- d-----w- c:\documents and settings\Kathy Fredrich\Application Data\DivX
2010-04-25 21:23 . 2010-04-25 21:23 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-25 21:23 . 2010-04-25 21:18 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-25 21:23 . 2010-04-25 21:18 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-25 21:23 . 2010-04-25 21:23 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:22 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:22 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:22 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-04-25 21:22 . 2010-04-25 21:25 -------- d-----w- c:\documents and settings\Kevin Fredrich\Application Data\DivX
2010-04-25 21:20 . 2010-04-25 21:20 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-25 21:20 . 2010-04-25 21:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-25 21:20 . 2010-04-25 21:20 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-25 21:18 . 2010-04-25 21:23 -------- d-----w- c:\program files\DivX
2010-04-25 21:18 . 2010-04-25 21:18 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-25 21:18 . 2010-04-25 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-22 19:03 . 2010-04-22 19:03 0 ----a-w- c:\windows\nsreg.dat
2010-04-22 19:03 . 2010-04-22 19:03 -------- d-----w- c:\documents and settings\Kevin Fredrich\Local Settings\Application Data\Mozilla
2010-04-21 00:05 . 2010-04-21 00:05 -------- d-----w- c:\documents and settings\Kathy Fredrich\Application Data\Malwarebytes
2010-04-20 20:48 . 2010-04-20 20:48 -------- d-----w- c:\documents and settings\Kevin Fredrich\Application Data\Malwarebytes
2010-04-20 20:48 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 20:48 . 2010-04-20 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-20 20:48 . 2010-05-03 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 20:48 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 20:17 . 2006-12-07 15:45 110592 ----a-w- c:\documents and settings\Kevin Fredrich\Application Data\U3\temp\cleanup.exe
2010-04-20 20:16 . 2006-12-07 15:45 3096576 ---ha-w- c:\documents and settings\Kevin Fredrich\Application Data\U3\temp\Launchpad Removal.exe
2010-04-20 20:16 . 2010-04-20 20:16 -------- d-----w- c:\documents and settings\Kevin Fredrich\Application Data\U3
2010-04-20 18:04 . 2010-04-20 18:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-20 16:18 . 2010-04-20 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-20 16:18 . 2010-04-20 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-20 16:17 . 2010-04-20 16:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-20 16:17 . 2010-04-20 16:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 16:17 . 2010-04-20 16:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-20 16:05 . 2010-04-20 16:05 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-20 15:49 . 2010-04-20 15:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-20 15:41 . 2010-05-06 15:29 0 ----a-w- c:\windows\Kgugev.bin
2010-04-20 15:41 . 2010-05-02 21:07 120 ----a-w- c:\windows\Mpepujuzes.dat
2010-04-20 15:40 . 2008-04-14 05:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-20 15:40 . 2008-04-14 05:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-20 15:40 . 2008-04-14 05:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-20 15:40 . 2008-04-14 05:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-11 13:51 . 2010-04-11 13:51 -------- d-sh--w- c:\documents and settings\Katie Fredrich\PrivacIE
2010-04-11 13:51 . 2010-04-11 13:51 -------- d-sh--w- c:\documents and settings\Katie Fredrich\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 20:39 . 2009-07-17 14:47 -------- d-----w- c:\program files\PokerStars
2010-05-09 01:03 . 2010-05-09 01:03 97280 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp
2010-05-06 15:27 . 2009-04-29 10:54 327192 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-25 21:21 . 2010-04-25 21:21 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-03-21 18:41 . 2009-05-07 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-13 04:39 . 2010-03-13 04:39 79488 ----a-w- c:\documents and settings\Kathy Fredrich\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2009-04-29 10:54 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-25 06:24 . 2009-04-29 10:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2009-04-29 10:54 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-16 14:08 . 2008-04-14 00:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2009-04-29 10:54 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2009-04-29 10:54 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_20.13.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 10:54 . 2010-05-09 20:17 90566 c:\windows\system32\perfc009.dat
- 2009-04-29 10:54 . 2010-05-09 20:08 90566 c:\windows\system32\perfc009.dat
+ 2009-11-10 19:32 . 2006-01-13 06:46 196608 c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
+ 2009-04-29 10:54 . 2010-05-09 20:17 502694 c:\windows\system32\perfh009.dat
- 2009-04-29 10:54 . 2010-05-09 20:08 502694 c:\windows\system32\perfh009.dat
+ 2009-07-20 14:53 . 2006-01-13 06:46 311296 c:\windows\system32\hphmon03.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2008-07-25 16:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2008-07-25 16:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-7 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Fredrich^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Fredrich^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\documents and settings\Kevin Fredrich\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-19 15:08 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Parental Control]
2009-03-20 22:23 1104384 ----a-w- c:\program files\Parental Control\bin\pcontrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\PdaNet for Windows Mobile\\PdaNetPC.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 10:26 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 10:26 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 10:26 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100429.001\IDSXpx86.sys [5/5/2010 6:53 PM 329592]
R1 policyappblockservice;Parental Control Application Filter;c:\program files\Parental Control\bin\policyappblock.sys [2/2/2009 3:22 PM 5120]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/20/2010 3:48 PM 304464]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 10:26 AM 117640]
R2 privoxy;privoxy;c:\program files\Privoxy\privoxy.exe --service --> c:\program files\Privoxy\privoxy.exe --service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2009 2:36 AM 102448]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/9/2009 6:17 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/20/2010 3:48 PM 20952]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [7/18/2009 6:56 PM 9472]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [4/1/2009 9:19 PM 39040]
S0 cqohqio;cqohqio; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [5/7/2009 8:19 PM 1684736]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/20/2009 9:53 AM 18864]
S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/7/2009 9:35 PM 232872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{414BB76E-C0F8-46AE-AB55-F244DA686115}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mg4.mail.yahoo.com/dc/launch?.gx=1&.rand=7p4s1kqcp1hmp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\PolicyLSP.dll
FF - ProfilePath - c:\documents and settings\Kevin Fredrich\Application Data\Mozilla\Firefox\Profiles\85dxlymc.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg4.mail.yahoo.com/dc/launch?sysreq=ignore
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Kevin Fredrich\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SRS Premium Sound - c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 14:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4112)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ASUS\Eee Storage\XPClient.dll
c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll
c:\program files\ASUS\Eee Storage\EcaremeDLL.dll
c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\PolicyLSP.dll
.
Completion time: 2010-05-10 14:59:04
ComboFix-quarantined-files.txt 2010-05-10 19:58
ComboFix2.txt 2010-05-09 20:18

Pre-Run: 63,563,591,680 bytes free
Post-Run: 63,546,212,352 bytes free

- - End Of File - - 76E4054B6AC44B72A0844ED864F7AD60


Jotti scan log:
This file has been scanned before. The results for this previous scan are listed below.


--------------------------------------------------------------------------------

Filename: Edulikovuviy.dat
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 6 May 2010 09:32:49 (CET) Permalink

No scan completed for c:\windows\Kgugev.bin; 0 bytes.

Thanks again for the help.

Edited by kf6700, 11 May 2010 - 09:46 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 11 May 2010 - 02:31 PM

Good evening. smile.gif

I'd like a fresh GMER log as it appears there is some disagreement in the logs as to which file(s) have been affected by the sliminess your machine has picked up.

Go here and click the Download EXE button at the top and save the file to your Desktop - the file is randomly named to try to sidestep the actions of certain malicious files.
Double click the file to begin:
  • If you get a pop-up regarding rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right and OK any pop-up that you may see regarding rootkit activity.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save... button and again save the log with any name to a handy location.
Post the contents of the log(s) into your next reply. The Preview option on the forum may show the whole log(s) being posted, but they sometimes get cut down when the actual post is made, so please check the post once it is completed.

So long, and thanks for all the fish.

 

 


#7 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 12 May 2010 - 08:37 AM

Had difficulty running GMER - machine would slow to a crawl. Disabled Nortons and Malwarebyte and retried - same problem. Took a look at Task Manager - 2 instances of ccSvchst.exe were running (1-system, 1-user) sucking up >90% of CPU. Started in safe mode and successfully ran scan - took about 1 hour to complete. Log follows:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-12 07:53:34
Windows 5.1.2600 Service Pack 3
Running: w3i00wy1.exe; Driver: C:\DOCUME~1\KEVINF~1\LOCALS~1\Temp\agkdypob.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device B9C95D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Thanks for the help.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 12 May 2010 - 01:55 PM

Good evening. smile.gif

That process is associated with the Norton software you have installed and it appears to have form for high system usage.

GMER now looks clear, so we'll have a peek with an online scanner and see what shows up. Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#9 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 12 May 2010 - 06:38 PM

Ran eset scan. Output follows:

C:\Qoobox\Quarantine\C\WINDOWS\agarabul.dll.vir a variant of Win32/Cimag.CK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{307391AF-159F-46DF-A23B-1A19D1855DDA}\RP3\A0003031.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{307391AF-159F-46DF-A23B-1A19D1855DDA}\RP4\A0003074.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{307391AF-159F-46DF-A23B-1A19D1855DDA}\RP4\A0003115.dll a variant of Win32/Cimag.CK trojan
C:\WINDOWS\system32\drivers\atapi.sys.tmp Win32/Olmarik.ZC trojan

What's next?

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 13 May 2010 - 02:43 PM

Good evening. smile.gif

Is Norton still flagging the backdoor.tidserv.l!inf detections?

So long, and thanks for all the fish.

 

 


#11 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 13 May 2010 - 02:48 PM

Last Norton detection of backdoor.tidserv.l!inf was yesterday at ~12:30 pm (US Central)

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 14 May 2010 - 01:48 PM

Good evening. smile.gif

Unfortunately this nasty has various versions and there are probably more in the pipeline, so it may take some time to work out where the bugger is hiding.

Download HAMeb_check.exe by noahdfear from here and save it to your Desktop.
  • Double click the tool to run it - it will take a minute or two to complete.
  • Once complete it will open Notepad with the results and save a copy as HelpAsst.log to the root of your hard drive, usually C:\
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download OTL by OldTimer from here and save it to your Desktop.
  • Close all open program windows and then double click the file to run it.
  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90


  • Plese don't change any of the settings.
  • Click the Quick Scan button and let it do it's thing - it shouldn't take too long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please paste the contents of these two files into your next reply, checking that all the data makes it into your post - large files may get cut off.

So long, and thanks for all the fish.

 

 


#13 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 14 May 2010 - 08:18 PM

Ran requested scans. Logs follow:

C:\Documents and Settings\Kevin Fredrich\Desktop\HAMeb_check.exe
Fri 05/14/2010 at 15:49:36.67

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


OTL logfile created on: 5/14/2010 3:53:24 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Kevin Fredrich\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 53.83 Gb Free Space | 74.70% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.97 Gb Free Space | 99.89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-GHRB1A270F
Current User Name: Kevin Fredrich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/14 15:51:30 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Fredrich\Desktop\OTL.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/12 17:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/10/01 11:54:25 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
PRC - [2009/04/16 19:46:30 | 000,630,784 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
PRC - [2009/04/16 18:58:54 | 000,118,784 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsTray.exe
PRC - [2009/03/25 10:43:40 | 000,376,832 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2009/03/20 17:23:32 | 001,104,384 | ---- | M] () -- C:\Program Files\Parental Control\bin\pcontrol.exe
PRC - [2009/03/13 16:15:02 | 000,098,304 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/09/02 06:26:16 | 001,448,576 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2008/09/02 06:26:16 | 000,604,776 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/07/31 22:45:36 | 000,185,560 | ---- | M] () -- C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/20 12:06:08 | 000,302,080 | ---- | M] (The Privoxy team - www.privoxy.org) -- C:\Program Files\Privoxy\privoxy.exe
PRC - [2007/12/19 10:07:40 | 000,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe


========== Modules (SafeList) ==========

MOD - [2010/05/14 15:51:30 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Fredrich\Desktop\OTL.exe
MOD - [2009/10/01 11:54:09 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll
MOD - [2008/09/02 06:25:10 | 000,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2008/09/02 06:23:22 | 000,040,960 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/10/01 11:54:25 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
SRV - [2009/02/06 17:08:58 | 000,533,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/01/20 12:06:08 | 000,302,080 | ---- | M] (The Privoxy team - www.privoxy.org) [Auto | Running] -- C:\Program Files\Privoxy\privoxy.exe -- (privoxy)
SRV - [2006/01/13 01:46:57 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hphipm09.exe -- (Pml Driver)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 03:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100513.032\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 03:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100513.032\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/06 10:27:19 | 000,327,192 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/03/24 02:44:10 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/10/28 17:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/10/01 11:54:34 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/01 11:54:28 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/10/01 11:54:28 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/10/01 11:54:28 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/10/01 11:54:28 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/10/01 11:54:28 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/10/01 11:54:28 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/10/01 11:54:28 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/10/01 11:54:28 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/10/01 11:54:28 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/10/01 11:54:27 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/10/01 11:54:27 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/10/01 02:36:16 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/04/20 09:38:18 | 000,232,872 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SRS_PremiumSound_i386.sys -- (SRS_PremiumSound_Service)
DRV - [2009/03/30 04:13:30 | 005,063,168 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/13 22:05:26 | 001,528,928 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/03/06 03:58:44 | 000,208,304 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/03/02 00:03:47 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/02/06 17:08:42 | 000,055,152 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/02/02 15:22:44 | 000,005,120 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Parental Control\bin\policyappblock.sys -- (policyappblockservice)
DRV - [2008/11/18 20:21:28 | 000,039,040 | ---- | M] (GenesysLogic Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\uvclf.sys -- (uvclf)
DRV - [2008/08/19 09:16:36 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/08/19 09:16:28 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/08/05 07:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ambfilt.sys -- (Ambfilt)
DRV - [2008/07/24 04:37:10 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/05/29 22:46:12 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/04/08 14:59:28 | 000,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/10 05:18:42 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/02/04 04:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2007/12/18 22:32:12 | 005,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/09/28 15:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pnetmdm.sys -- (pnetmdm)
DRV - [2006/01/13 01:46:58 | 000,050,211 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphs2k09.sys -- (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09)
DRV - [2006/01/13 01:46:58 | 000,018,864 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphius09.sys -- (Dot4Usb HPH09)
DRV - [2006/01/13 01:46:58 | 000,016,112 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphipr09.sys -- (Dot4Print HPH09)
DRV - [2006/01/13 01:46:57 | 000,050,800 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hphid409.sys -- (Dot4 HPH09)
DRV - [2006/01/04 02:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.mg4.mail.yahoo.com/dc/launch?.gx...d=7p4s1kqcp1hmp
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://us.mg4.mail.yahoo.com/dc/launch?sysreq=ignore"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/28 10:39:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/22 14:03:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/05 18:31:17 | 000,000,000 | ---D | M]

[2010/04/22 14:04:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Mozilla\Extensions
[2010/04/22 14:04:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Mozilla\Firefox\Profiles\85dxlymc.default\extensions
[2010/05/12 10:20:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/09 15:13:18 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [Parental Control] C:\Program Files\Parental Control\bin\pcontrol.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Kevin Fredrich\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Kevin Fredrich\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\PolicyLSP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\PolicyLSP.dll ()
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} http://support.asus.com/common/asusTek_sys_ctrl.cab (asusTek_sysctrl Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/29 06:07:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/04/29 06:06:30 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/14 15:51:22 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin Fredrich\Desktop\OTL.exe
[2010/05/13 11:27:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Desktop\New Folder
[2010/05/12 14:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/11 17:11:31 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/11 09:54:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/11 09:52:59 | 000,000,000 | ---D | C] -- C:\CF
[2010/05/10 17:14:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Asus
[2010/05/10 17:11:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\AsDmiHtm
[2010/05/10 17:08:16 | 000,000,000 | ---D | C] -- C:\Program Files\Atheros Communications Inc
[2010/05/10 15:22:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Eee PC
[2010/05/09 15:38:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Desktop\tdss killer
[2010/05/09 15:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Desktop\BleepingComputer
[2010/05/09 14:56:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/09 14:56:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/09 14:56:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/09 14:56:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/09 14:56:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/09 14:55:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/25 16:22:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Application Data\DivX
[2010/04/25 16:20:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/04/25 16:18:48 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/25 16:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2010/04/25 15:56:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Application Data\WinRAR
[2010/04/25 15:56:15 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/04/23 21:36:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Desktop\Katie
[2010/04/22 14:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\Mozilla
[2010/04/22 14:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Mozilla
[2010/04/22 14:03:32 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/04/20 15:48:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Malwarebytes
[2010/04/20 15:48:04 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/20 15:48:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/20 15:48:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/20 15:48:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/20 15:16:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Fredrich\Application Data\U3
[2010/04/20 11:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/20 11:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/20 11:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/20 11:16:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/20 10:50:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/20 10:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/16 12:05:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\IIT
[2010/03/30 20:58:24 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\DivXControlPanelApplet.cpl
[2010/03/24 12:53:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kevin Fredrich\IECompatCache
[2010/03/24 12:52:09 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kevin Fredrich\PrivacIE
[2010/03/24 12:51:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kevin Fredrich\IETldCache
[2010/03/24 12:30:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/03/24 12:29:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/03/23 09:19:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2010/03/22 11:32:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2010/03/08 12:59:18 | 000,094,208 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\dpl100.dll
[2010/03/01 18:11:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/02/19 14:27:36 | 000,720,384 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\DivX.dll
[2010/02/19 14:27:16 | 000,856,064 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx0c.dll
[2010/02/19 14:27:16 | 000,856,064 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx07.dll
[2010/02/19 14:27:16 | 000,847,872 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx0a.dll
[2010/02/19 14:27:16 | 000,843,776 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx16.dll
[2010/02/19 14:27:16 | 000,839,680 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx11.dll
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Documents\*.tmp files -> C:\Documents and Settings\All Users\Documents\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2049/12/31 16:00:00 | 000,010,506 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\KFredrich1.5M20TDWP.pdf
[2049/12/31 16:00:00 | 000,010,475 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\KFredrich1MTDWP.pdf
[2049/12/31 16:00:00 | 000,010,011 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\KFredrich1.5M20TnoDWP.pdf
[2049/12/31 16:00:00 | 000,009,998 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\KFredrich1MTnoDWP.pdf
[2010/05/14 16:10:13 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{414BB76E-C0F8-46AE-AB55-F244DA686115}.job
[2010/05/14 15:51:30 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Fredrich\Desktop\OTL.exe
[2010/05/14 15:49:10 | 000,485,896 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\HAMeb_check.exe
[2010/05/13 13:39:46 | 000,065,339 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\chamberlinMar07.pdf
[2010/05/13 12:10:19 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\ntuser.dat
[2010/05/13 12:01:07 | 003,545,045 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\The Problem of Survival for the Angevin.pdf
[2010/05/13 11:41:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/13 11:41:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/13 11:41:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/12 14:01:08 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\KTF Networking Brief.doc
[2010/05/12 10:18:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Kevin Fredrich\ntuser.ini
[2010/05/12 10:18:50 | 006,444,504 | -H-- | M] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\IconCache.db
[2010/05/12 10:03:39 | 000,000,196 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 06:52:41 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\w3i00wy1.exe
[2010/05/11 16:44:30 | 000,602,466 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/11 16:44:30 | 000,502,694 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/11 16:44:30 | 000,090,566 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/11 11:31:46 | 002,487,491 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\EBSCO The Christian Experience and Interpretation of Early Muslim Conquest andf Rule.pdf
[2010/05/11 10:58:01 | 000,172,663 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\EBSCO The Kingdom of England and the Kingdom of Sicilly.pdf
[2010/05/11 10:06:47 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/11 09:55:04 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/10 17:44:55 | 000,039,158 | ---- | M] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/05/10 17:36:07 | 000,065,164 | ---- | M] () -- C:\WINDOWS\Ascd_log.ini
[2010/05/10 17:28:44 | 000,000,537 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/10 17:28:44 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/10 17:19:33 | 000,000,977 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk
[2010/05/10 17:04:04 | 000,001,746 | ---- | M] () -- C:\WINDOWS\Language_trs.ini
[2010/05/09 15:13:18 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/07 15:55:31 | 002,540,862 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\econ_9596_008.pdf
[2010/05/06 10:29:22 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Kgugev.bin
[2010/05/06 10:12:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\defogger_reenable
[2010/05/05 09:44:09 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\APUnitTwoSG.doc
[2010/05/05 09:35:14 | 000,061,440 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Study_Questions.postclassical.doc
[2010/05/02 16:07:07 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mpepujuzes.dat
[2010/04/30 10:36:01 | 000,046,149 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\AJ Paper -Draft 2.0.docx
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 10:53:27 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\~$ Paper -Draft 2.0.docx
[2010/04/27 15:36:56 | 000,241,344 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Pressure of 1836 Retry.pdf
[2010/04/27 11:53:23 | 000,216,476 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Lease_O348[1].pdf
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/26 09:57:15 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/23 12:03:33 | 000,254,276 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\lepler.pdf
[2010/04/23 10:05:17 | 000,025,799 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\trask1.pdf
[2010/04/22 14:03:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/04/22 14:03:39 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/22 10:51:00 | 000,324,441 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\3124469.pdf
[2010/04/21 09:59:21 | 000,035,026 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\AJ Paper -Draft 1.0.docx
[2010/04/20 17:11:01 | 000,332,800 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Online Store Malwarebytes.mht
[2010/04/20 13:53:55 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Recycle Bin (2).lnk
[2010/04/20 13:38:18 | 000,000,362 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\fix.reg
[2010/04/20 12:51:09 | 000,016,200 | -HS- | M] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\22k5paIc
[2010/04/20 12:51:09 | 000,016,200 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\22k5paIc
[2010/04/20 11:32:47 | 067,131,344 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\20100419-036-v5i32.exe
[2010/04/20 11:17:15 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/20 11:17:15 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/20 10:45:33 | 000,016,276 | -HS- | M] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\3231008778
[2010/04/20 10:45:33 | 000,016,276 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3231008778
[2010/04/19 15:46:53 | 000,042,496 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\finalpaper.doc
[2010/04/15 11:52:10 | 000,060,664 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/15 09:14:18 | 000,068,686 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Labs.pdf
[2010/04/15 09:08:19 | 000,073,611 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Endocrinologists.pdf
[2010/04/15 08:35:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/12 09:07:42 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\KTF Resume.doc
[2010/04/08 13:30:29 | 000,009,859 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\AJ - BUS.docx
[2010/04/08 13:24:20 | 000,037,207 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Aj Paper - Draft1.docx
[2010/03/30 20:58:24 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\DivXControlPanelApplet.cpl
[2010/03/29 11:35:38 | 000,034,869 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\2 Outline - Legacy of the Andrew Jackson Presidency (Autosaved).docx
[2010/03/25 16:16:49 | 000,249,496 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/16 21:32:38 | 000,194,704 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\20101HIS132601f[1].pdf
[2010/03/16 21:32:21 | 000,180,178 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\20103HIS131601f[1].pdf
[2010/03/08 12:59:18 | 000,094,208 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\dpl100.dll
[2010/03/04 11:08:35 | 000,141,806 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\20106HIS170536f.pdf
[2010/02/24 12:41:39 | 000,010,815 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Whirlpool.htm
[2010/02/22 11:45:20 | 000,225,035 | ---- | M] () -- C:\Documents and Settings\Kevin Fredrich\My Documents\Career_Fair_Sucess_Tips_(Nov_24)[1].pdf
[2010/02/22 11:43:47 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Business_Card_Examples1_-_anywhere_anytown_version[1].doc
[2010/02/19 14:27:36 | 000,720,384 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\DivX.dll
[2010/02/19 14:27:16 | 000,856,064 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx0c.dll
[2010/02/19 14:27:16 | 000,856,064 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx07.dll
[2010/02/19 14:27:16 | 000,847,872 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx0a.dll
[2010/02/19 14:27:16 | 000,843,776 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx16.dll
[2010/02/19 14:27:16 | 000,839,680 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\divx_xx11.dll
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Documents\*.tmp files -> C:\Documents and Settings\All Users\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/14 15:49:08 | 000,485,896 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\HAMeb_check.exe
[2010/05/13 13:39:46 | 000,065,339 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\chamberlinMar07.pdf
[2010/05/13 12:01:06 | 003,545,045 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\The Problem of Survival for the Angevin.pdf
[2010/05/12 10:03:39 | 000,000,196 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 06:52:39 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\w3i00wy1.exe
[2010/05/11 11:31:46 | 002,487,491 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\EBSCO The Christian Experience and Interpretation of Early Muslim Conquest andf Rule.pdf
[2010/05/11 10:58:00 | 000,172,663 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\EBSCO The Kingdom of England and the Kingdom of Sicilly.pdf
[2010/05/10 17:28:43 | 000,000,947 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2010/05/10 17:28:43 | 000,000,727 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2010/05/10 17:28:43 | 000,000,637 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
[2010/05/10 17:06:39 | 000,065,164 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2010/05/10 17:04:04 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2010/05/10 17:04:03 | 000,039,158 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/05/10 17:04:02 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2010/05/09 14:59:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/09 14:59:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/09 14:56:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/09 14:56:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/09 14:56:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/09 14:56:39 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/09 14:56:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/07 15:55:31 | 002,540,862 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\econ_9596_008.pdf
[2010/05/06 10:12:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\defogger_reenable
[2010/05/05 09:44:09 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\APUnitTwoSG.doc
[2010/05/05 09:35:14 | 000,061,440 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Study_Questions.postclassical.doc
[2010/04/28 10:53:27 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\All Users\Documents\~$ Paper -Draft 2.0.docx
[2010/04/27 15:36:56 | 000,241,344 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Pressure of 1836 Retry.pdf
[2010/04/27 11:53:23 | 000,216,476 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Lease_O348[1].pdf
[2010/04/26 10:19:03 | 000,046,149 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\AJ Paper -Draft 2.0.docx
[2010/04/23 12:35:20 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/23 12:03:33 | 000,254,276 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\lepler.pdf
[2010/04/23 10:05:17 | 000,025,799 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\trask1.pdf
[2010/04/22 14:03:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/22 14:03:39 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/22 10:51:00 | 000,324,441 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\3124469.pdf
[2010/04/20 17:10:47 | 000,332,800 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\Online Store Malwarebytes.mht
[2010/04/20 13:53:55 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Recycle Bin (2).lnk
[2010/04/20 13:38:18 | 000,000,362 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\fix.reg
[2010/04/20 11:32:41 | 067,131,344 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\20100419-036-v5i32.exe
[2010/04/20 11:17:15 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/20 11:17:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/20 10:45:33 | 000,016,276 | -HS- | C] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\3231008778
[2010/04/20 10:45:33 | 000,016,276 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3231008778
[2010/04/20 10:41:12 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mpepujuzes.dat
[2010/04/20 10:41:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Kgugev.bin
[2010/04/20 10:39:35 | 000,016,200 | -HS- | C] () -- C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\22k5paIc
[2010/04/20 10:39:35 | 000,016,200 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\22k5paIc
[2010/04/19 15:46:53 | 000,042,496 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\Desktop\finalpaper.doc
[2010/04/15 09:14:18 | 000,068,686 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Labs.pdf
[2010/04/15 09:08:18 | 000,073,611 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Endocrinologists.pdf
[2010/04/12 10:18:25 | 000,046,080 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\KTF Networking Brief.doc
[2010/04/12 09:07:42 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\KTF Resume.doc
[2010/04/11 12:43:45 | 000,035,026 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\AJ Paper -Draft 1.0.docx
[2010/04/08 13:30:29 | 000,009,859 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\AJ - BUS.docx
[2010/04/05 17:24:25 | 000,037,207 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Aj Paper - Draft1.docx
[2010/03/26 13:05:11 | 000,034,869 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\2 Outline - Legacy of the Andrew Jackson Presidency (Autosaved).docx
[2010/03/24 12:53:00 | 000,000,440 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{414BB76E-C0F8-46AE-AB55-F244DA686115}.job
[2010/03/16 21:32:38 | 000,194,704 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\20101HIS132601f[1].pdf
[2010/03/16 21:32:21 | 000,180,178 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\20103HIS131601f[1].pdf
[2010/03/04 11:08:35 | 000,141,806 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\20106HIS170536f.pdf
[2010/02/24 12:41:39 | 000,010,815 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Whirlpool.htm
[2010/02/22 11:45:20 | 000,225,035 | ---- | C] () -- C:\Documents and Settings\Kevin Fredrich\My Documents\Career_Fair_Sucess_Tips_(Nov_24)[1].pdf
[2010/02/22 11:43:46 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Business_Card_Examples1_-_anywhere_anytown_version[1].doc
[2009/11/10 14:40:19 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/11/10 14:33:06 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2009/05/08 05:46:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/05/07 21:35:29 | 000,232,872 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_PremiumSound_i386.sys
[2009/05/07 20:24:26 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2009/05/07 20:24:26 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2009/05/07 09:11:37 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2009/04/29 05:54:29 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/04/29 05:54:17 | 001,288,192 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2009/03/05 14:04:50 | 000,479,744 | ---- | C] () -- C:\WINDOWS\System32\PolicyLSP.dll
[2008/09/02 06:25:26 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2005/02/17 11:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/08/17 10:53:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/04/20 11:18:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2009/08/20 16:50:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/05/07 09:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wireless LAN Card
[2009/09/30 16:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2010/05/10 17:14:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Asus
[2009/11/02 12:55:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\GetRightToGo
[2009/08/20 16:50:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\NCH Swift Sound
[2009/07/20 08:27:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\Template
[2009/05/08 09:10:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Fredrich\Application Data\VoiceCommand
[2010/05/14 16:10:13 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{414BB76E-C0F8-46AE-AB55-F244DA686115}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:atapi.sys
[2010/05/08 20:03:54 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2010/05/08 20:03:54 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/05/08 20:03:54 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 07:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2008/09/12 00:32:56 | 000,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\Documents and Settings\All Users\Documents\Eee PC\Drivers\AHCI\IaStor.sys
[2008/09/12 00:32:56 | 000,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\I386\$OEM$\TEXTMODE\IASTOR.SYS
[2008/09/12 00:32:56 | 000,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\OemDir\iaStor.sys
[2010/05/06 10:27:19 | 000,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[1 C:\WINDOWS\system32\drivers\*.tmp files -> C:\WINDOWS\system32\drivers\*.tmp -> ]

< %systemroot%\System32\config\*.sav >
[2009/04/28 23:00:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/04/28 23:00:15 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/04/28 23:00:15 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/08 20:03:54 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\atapi.sys
[2010/03/30 20:58:04 | 000,009,072 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\cdr4_xp.sys
[2010/03/30 20:58:04 | 000,009,200 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\cdralw2k.sys
[2010/05/06 10:27:19 | 000,327,192 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 08:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/03/30 20:58:04 | 000,044,944 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys
[1 C:\WINDOWS\system32\drivers\*.tmp files -> C:\WINDOWS\system32\drivers\*.tmp -> ]

< >

< >
< End of report >


OTL Extras logfile created on: 5/14/2010 3:53:25 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Kevin Fredrich\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 53.83 Gb Free Space | 74.70% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.97 Gb Free Space | 99.89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-GHRB1A270F
Current User Name: Kevin Fredrich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe" = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe:*:Enabled:PdaNetPC -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3FB39BED-37C8-4E60-8E02-315B8C2B07E3}" = USB2.0 UVC Camera Device
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47BACF74-5A07-48BD-BADB-A769550F0F5A}" = FontResizer
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6333FC29-BFE5-4024-AC78-958A1A7555D1}" = EeeSplendid
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{64C118AC-FA2A-4E9C-A76E-DC22CA4FC20D}" = Voice Command EN Trial Version
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}" = Windows Live Family Safety
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B9BDA46B-2E17-4F43-9D7A-9B1E09A0A4D8}" = Data Sync
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C72CA49A-9237-4810-8449-45DA3BD26D64}" = EzMessenger
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D35A8247-0E94-4DE5-BC97-804B449A7122}" = Microsoft Office Live Meeting 2007
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB686487-C637-4EEF-BCB1-C92463F2CC05}" = Atheros Ethernet Utility
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ASUS VIBE" = ASUS VIBE
"DivX Setup.divx.com" = DivX Setup
"Eee Docking_is1" = Eee Docking 1.3.1.0
"Eee Storage" = Eee Storage
"EeePC1005HA" = EeePC1005HA Screen Saver
"ESET Online Scanner" = ESET Online Scanner v3
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007 Trial
"hp photosmart printer series" = hp photosmart printer series (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{64C118AC-FA2A-4E9C-A76E-DC22CA4FC20D}" = Voice Command EN Trial Version
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"N360" = Norton 360
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Parental Control" = Parental Control
"PdaNet_is1" = PdaNet for Windows Mobile 2.0
"PokerStars" = PokerStars
"Privoxy" = Privoxy (remove only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WavePad" = WavePad Sound Editor
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/9/2009 11:16:17 PM | Computer Name = YOUR-GHRB1A270F | Source = Userenv | ID = 1515
Description = Windows has backed up this user's profile. Windows will automatically
try to use the backed up profile the next time this user logs on.

Error - 10/9/2009 11:16:18 PM | Computer Name = YOUR-GHRB1A270F | Source = Userenv | ID = 1511
Description = Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you log off.

Error - 11/2/2009 12:59:04 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x00004955.

Error - 11/10/2009 3:47:47 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Hang | ID = 1002
Description = Hanging application fxsclnt.exe, version 5.2.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/19/2009 7:52:59 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/21/2009 3:21:23 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Error | ID = 1000
Description = Faulting application asacpisvr.exe, version 6.1.1.1008, faulting module
asacpisvr.exe, version 6.1.1.1008, fault address 0x000075e5.

Error - 12/5/2009 8:09:31 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/5/2009 8:14:04 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/5/2009 8:14:05 PM | Computer Name = YOUR-GHRB1A270F | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/20/2010 3:34:09 PM | Computer Name = YOUR-GHRB1A270F | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, stamp 49a74cd5,
faulting module flash10d.ocx, version 10.0.42.34, stamp 4ae7baed, debug? 0, fault
address 0x000049a5.

[ System Events ]
Error - 5/12/2010 7:59:49 AM | Computer Name = YOUR-GHRB1A270F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/12/2010 8:01:08 AM | Computer Name = YOUR-GHRB1A270F | Source = Service Control Manager | ID = 7001
Description = The fssfltr service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/12/2010 8:01:08 AM | Computer Name = YOUR-GHRB1A270F | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 5/12/2010 8:01:08 AM | Computer Name = YOUR-GHRB1A270F | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/12/2010 8:01:08 AM | Computer Name = YOUR-GHRB1A270F | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 5/12/2010 8:01:08 AM | Computer Name = YOUR-GHRB1A270F | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/12/2010 8:01:08 AM | Computer Name = YOUR-GHRB1A270F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT policyappblockservice
RasAcd
Rdbss
SRTSPX
SYMTDI
Tcpip

Error - 5/12/2010 8:53:23 AM | Computer Name = YOUR-GHRB1A270F | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/13/2010 12:43:25 PM | Computer Name = YOUR-GHRB1A270F | Source = System Error | ID = 1003
Description = Error code 10000050, parameter1 e75f5000, parameter2 00000000, parameter3
9f8e06b1, parameter4 00000001.

Error - 5/13/2010 12:46:30 PM | Computer Name = YOUR-GHRB1A270F | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume C:.


< End of report >


Thanks again for the help!

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:58 AM

Posted 16 May 2010 - 03:14 PM

Good evening. smile.gif

I'm struggling to positively identify anything that looks like it might be responsible for the issues you are having at the minute, so this is a bit of a fishing expedition i'm afraid.
You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

C:\WINDOWS\System32\PolicyLSP.dll
C:\Documents and Settings\Kevin Fredrich\Desktop\w3i00wy1.exe
C:\WINDOWS\System32\MRT.INI


When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I would like you to rename the following two files:

c:\windows\Mpepujuzes.dat
c:\windows\Kgugev.bin


Right click them and change the file extensions from .dat and .bin to .old and OK any query Windows makes. Reboot the PC and check that the files have remained renamed.

I can't positively identify these files as malicious, so the above will disable them, assuming something isn't monitoring for this sort of action and reversing it, which is the reason for the reboot and check. If a legitimate piece of software suddenly starts misbehaving then you should change the file extensions back and reboot the PC again. This should put things back how they were.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :dir
    C:\Documents and Settings\All Users\Application Data\22k5paIc /s
    C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\22k5paIc /s

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#15 kf6700

kf6700
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 16 May 2010 - 04:43 PM

Ran scans per your request. Also renamed c:\windows\Mpepujuzes.dat and c:\windows\Kgugev.bin to .old; both files remained renamed through a reboot. C:\Documents and Settings\Kevin Fredrich\Desktop\w3i00wy1.exe was the GMER scanner from the last scan, ran Jotti's on it anyway - filename: l4pw4rov.exe. Logs follow:





Jotti's malware scan
Filename: policylsp.dll
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 16 Oct 2009 15:38:22 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 479744 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: a39917b6aec94a4f4316a90e14a274dd
SHA1: e5927bbf521d229e5e9c91be1b17917b14ef2584







Scanners
2009-10-16 Found nothing 2009-10-16 Found nothing
2009-10-14 Found nothing 2009-10-16 Found nothing
2009-10-16 Found nothing 2009-10-16 Found nothing
2009-10-16 Found nothing 2009-10-16 Found nothing
2009-10-16 Found nothing 2009-10-15 Found nothing
2009-10-16 Found nothing 2009-10-16 Found nothing
2009-10-16 Found nothing 2009-10-16 Found nothing
2009-10-16 Found nothing 2009-10-15 Found nothing
2009-10-15 Found nothing 2009-10-15 Found nothing
2009-10-16 Found nothing



--------------------------------------------------------------------------------



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2010 Jotti <jotti@jotti.org>







Jotti's malware scan
Filename: l4pw4rov.exe
Status: Scan finished. 1 out of 19 scanners reported malware.
Scan taken on: Sun 16 May 2010 06:21:50 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 293376 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
Packer (Drweb): UPX
Packer (Kaspersky): PE_Patch.UPX, UPX







Scanners
2010-05-15 Found nothing 2010-05-16 Found nothing
2010-05-15 Found nothing 2010-05-15 Found nothing
2010-05-14 Found nothing 2010-05-16 Found nothing
2010-05-14 Found nothing 2010-05-15 Found nothing
2010-05-16 Found nothing 2010-05-15 Found nothing
2010-05-16 Found nothing 2010-05-15 Found nothing
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing 2010-05-13 Win32 Shadow Driver Install
2010-05-15 Found nothing 2010-05-15 Found nothing
2010-05-15 Found nothing



--------------------------------------------------------------------------------



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2010 Jotti <jotti@jotti.org>







Jotti's malware scan
Filename: MRT.INI
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 16 May 2010 22:42:37 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 196 bytes
Filetype: ASCII text, with CRLF line terminators
MD5: 546f01d362b0c8d81bf51a842e3797fd
SHA1: eed0d7d5893f4a8327fcb33142c694562dad1f99







Scanners
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-14 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing 2010-05-15 Found nothing
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing 2010-05-13 Found nothing
2010-05-16 Found nothing 2010-05-16 Found nothing
2010-05-16 Found nothing



--------------------------------------------------------------------------------



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2010 Jotti <jotti@jotti.org>



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:02 on 16/05/2010 by Kevin Fredrich (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\All Users\Application Data\22k5paIc - Unable to find folder.

C:\Documents and Settings\Kevin Fredrich\Local Settings\Application Data\22k5paIc - Unable to find folder.

-=End Of File=-


What's next?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users