Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Alureon


  • This topic is locked This topic is locked
23 replies to this topic

#1 geoff798

geoff798

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 10 May 2010 - 04:37 PM

Dear All,

I find it amazing that a community exists purely to support those of us with average computer skills to overcome specific, pretty technical problems. I'm a Windows user from the early days, but have found myself drifting at work as we install and operate Linux servers. Ubuntu server, PuTTY and Clam AV are simply awesome.
My specific problem relates to the W32.Alureon trojan. I ditched Comodo firewall because it was slowing my PC down and tried ClamAV for Windows instead. On two separate PCs, I have received a warning that they contain 24-34 instances of W32.Alureon. I followed a short thread on your site, but the memeber didn't reply and you closed the thread, but used the recommended software to extract some info as .txt files included below or attached. Neither are big at all.

Best regards,

Geoff


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoff at 9:15:11.98 on Tue 11/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.959.461 [GMT 12:00]

AV: ClamAV for Windows *On-access scanning enabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\IUCLID5\postgres\bin\pg_ctl.exe
C:\Program Files\IUCLID5\postgres\bin\postgres.exe
C:\Program Files\ClamAV for Windows\1.0.26\agent.exe
C:\Program Files\IUCLID5\postgres\bin\postgres.exe
C:\Program Files\IUCLID5\postgres\bin\postgres.exe
C:\Program Files\IUCLID5\postgres\bin\postgres.exe
C:\Program Files\IUCLID5\postgres\bin\postgres.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Plone 3\Python\PythonService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plone 3\Python\python.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Geoff\My Documents\My EBooks\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IsoBuster Toolbar: {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - c:\program files\isobuster\tbIsoB.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: IsoBuster Toolbar: {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - c:\program files\isobuster\tbIsoB.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Immunet Protect] "c:\program files\clamav for windows\1.0.26\iptray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271734138187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271734127843
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R1 ImmunetMonitorDriver;ImmunetMonitorDriver;c:\windows\system32\drivers\ImmunetMonitor.sys [2010-5-11 20040]
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [2010-5-11 38856]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [2010-5-11 29640]
R2 i5postgres_port_5433;i5postgres_port_5433;C:/Program Files/IUCLID5/postgres/bin/pg_ctl.exe runservice -N "i5postgres_port_5433" -D "C:/Program Files/IUCLID5/postgres/data" --> C:/Program Files/IUCLID5/postgres/bin/pg_ctl.exe runservice -N i5postgres_port_5433 [?]
R2 ImmunetProtect;ClamAV for Windows;c:\program files\clamav for windows\1.0.26\agent.exe [2010-5-11 717552]
R2 Zope_1313807186;Zope instance at c:\program files\plone 3\data;c:\program files\plone 3\python\pythonservice.exe [2008-7-27 10240]
R4 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-5-11 186128]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-4-6 9728]
S4 Apache2.2;Apache2.2;"c:\xampplite\apache\bin\apache.exe" -k runservice --> c:\xampplite\apache\bin\apache.exe [?]
S4 XAMPP;XAMPP Service;e:\wordpress\xampplite\service.exe --> e:\wordpress\xampplite\service.exe [?]

=============== Created Last 30 ================

2010-05-10 20:37:56 25120 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 20:37:56 216864 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-10 20:37:56 1868 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-10 20:37:56 1292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-10 20:37:45 0 ----a-w- C:\rollback.ini
2010-05-10 20:23:30 0 d-----w- c:\program files\common files\ParetoLogic
2010-05-10 20:23:30 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-05-10 20:02:17 29640 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2010-05-10 20:02:16 20040 ----a-w- c:\windows\system32\drivers\ImmunetMonitor.sys
2010-05-10 20:02:13 38856 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2010-05-10 20:02:10 0 d-----w- c:\program files\ClamAV for Windows
2010-05-06 00:53:35 130 ----a-w- c:\windows\cfplogvw.INI
2010-05-04 22:06:47 0 d-----w- c:\program files\Firebird
2010-04-21 23:03:47 0 d-----w- c:\program files\Plone 3
2010-04-20 21:03:22 3252 ----a-w- c:\windows\system32\wbem\Outlook_01cae0cce8e9bae4.mof
2010-04-20 03:29:15 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-04-20 03:29:15 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-04-20 03:29:15 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-04-20 03:29:14 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-04-20 03:29:13 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2010-05-10 19:58:54 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-03-26 04:09:18 106131 ----a-w- c:\windows\fonts\AdobeFnt09.lst
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-11 15:37:01 781410 ----a-w- c:\windows\system32\libjack.dll
2010-02-11 15:36:29 1027893 ----a-w- c:\windows\system32\libjackserver.dll
2010-01-22 03:11:26 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-01-22 03:11:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010012220100123\index.dat

============= FINISH: 9:16:20.76 ===============
Attached File  Attach.zip   2.6KB   15 downloads

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 12 May 2010 - 03:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 12 May 2010 - 07:28 PM

W32.Alureon Trojan

Dear Myrti,

Thanks for the guidance. I have not undertaken any repair to the computer. The problem only became visisble on installation of ClamAV. We have another PC here which has the exact same error of W32.Alureon on installation of clamAV. I've followed your instructions and copied and pasted the contents of those two reports below:-

OTL logfile created on: 13/05/2010 11:58:08 a.m. - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Geoff\Desktop
Windows XP Home Edition Service Pack 3, v.3264 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy

959.00 Mb Total Physical Memory | 373.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1485 1485 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 32.05 Gb Free Space | 43.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TECHOFFICE-3
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/13 11:56:23 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
PRC - [2010/05/11 08:02:10 | 001,338,184 | ---- | M] (Sourcefire, Inc.) -- C:\Program Files\ClamAV for Windows\1.0.26\iptray.exe
PRC - [2010/05/11 08:02:10 | 000,717,552 | ---- | M] (Immunet Corporation) -- C:\Program Files\ClamAV for Windows\1.0.26\agent.exe
PRC - [2010/03/08 10:45:22 | 000,454,656 | ---- | M] (Simon Tatham) -- C:\Documents and Settings\Geoff\My Documents\Server stuff\putty.exe
PRC - [2009/08/05 10:37:58 | 012,313,432 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
PRC - [2009/06/22 21:23:38 | 000,196,424 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2009/03/13 06:31:14 | 003,678,208 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\IUCLID5\postgres\bin\postgres.exe
PRC - [2009/03/13 06:31:12 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\IUCLID5\postgres\bin\pg_ctl.exe
PRC - [2008/07/27 21:21:38 | 000,010,240 | ---- | M] () -- C:\Program Files\Plone 3\Python\pythonservice.exe
PRC - [2007/11/30 23:26:26 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/18 09:35:10 | 000,004,608 | ---- | M] () -- C:\Program Files\Plone 3\Python\python.exe


========== Modules (SafeList) ==========

MOD - [2010/05/13 11:56:23 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
MOD - [2007/11/30 23:27:12 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.3264_x-ww_d751ffbf\comctl32.dll
MOD - [2007/11/30 23:23:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (XAMPP)
SRV - File not found [Disabled | Stopped] -- -- (Apache2.2)
SRV - [2010/05/11 08:02:10 | 000,717,552 | ---- | M] (Immunet Corporation) [Auto | Running] -- C:\Program Files\ClamAV for Windows\1.0.26\agent.exe -- (ImmunetProtect)
SRV - [2009/10/27 08:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/03/13 06:31:12 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\IUCLID5\postgres\bin\pg_ctl.exe -- (i5postgres_port_5433)
SRV - [2008/07/27 21:21:38 | 000,010,240 | ---- | M] () [Auto | Running] -- C:\Program Files\Plone 3\Python\PythonService.exe -- (Zope_1313807186)


========== Driver Services (SafeList) ==========

DRV - [2010/05/11 08:02:11 | 000,038,856 | ---- | M] (Windows ® Codename Longhorn DDK provider) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ImmunetProtect.sys -- (ImmunetProtectDriver)
DRV - [2010/05/11 08:02:11 | 000,029,640 | ---- | M] (Windows ® Codename Longhorn DDK provider) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ImmunetSelfProtect.sys -- (ImmunetSelfProtectDriver)
DRV - [2010/05/11 08:02:11 | 000,020,040 | ---- | M] (Windows ® Codename Longhorn DDK provider) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ImmunetMonitor.sys -- (ImmunetMonitorDriver)
DRV - [2010/01/12 14:50:45 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/09/11 14:56:38 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2009/09/11 14:56:34 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2009/09/11 14:56:18 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2009/09/11 14:56:08 | 000,009,728 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/08/26 08:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/06/27 15:19:22 | 000,019,072 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2008/06/27 14:57:48 | 000,323,584 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2007/11/30 16:32:34 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2007/11/30 16:30:58 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/02/24 15:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/31 18:18:50 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2003/03/25 21:50:46 | 000,004,096 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\siside.sys -- (SiSide)
DRV - [2002/10/17 19:14:46 | 000,049,024 | R--- | M] (Windows ® 2000 DDK provider) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\sisidex.sys -- (sisidex)
DRV - [2002/08/20 21:19:08 | 000,009,472 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sisperf.sys -- (sisperf)
DRV - [2001/03/31 02:58:36 | 000,045,568 | R--- | M] (Silicon Integrated Systems) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SiSRaid.sys -- (SiSRaid)
DRV - [1997/04/22 09:16:00 | 000,006,272 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2004/08/05 00:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IsoBuster Toolbar) - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIsoB.dll (Conduit Ltd.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\..\Toolbar\WebBrowser: (IsoBuster Toolbar) - {266FCDCA-7BB3-4DA7-B3BF-F845DEA2EBD6} - C:\Program Files\IsoBuster\tbIsoB.dll (Conduit Ltd.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Immunet Protect] C:\Program Files\ClamAV for Windows\1.0.26\iptray.exe (Sourcefire, Inc.)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1271734138187 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1271734127843 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/10 14:34:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{76b3adb0-224c-11df-9f49-0013d425ff9d}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{76b3adb0-224c-11df-9f49-0013d425ff9d}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{76b3adb0-224c-11df-9f49-0013d425ff9d}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{76b3adb0-224c-11df-9f49-0013d425ff9d}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{7a90d900-2d45-11de-9e13-0013d425ff9d}\Shell - "" = AutoRun
O33 - MountPoints2\{7a90d900-2d45-11de-9e13-0013d425ff9d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7a90d900-2d45-11de-9e13-0013d425ff9d}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{b6686c37-4b2d-11df-9f78-0013d425ff9d}\Shell - "" = AutoRun
O33 - MountPoints2\{b6686c37-4b2d-11df-9f78-0013d425ff9d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b6686c37-4b2d-11df-9f78-0013d425ff9d}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{c033c3f4-50a8-11df-9f86-0013d425ff9d}\Shell\AutoRun\command - "" = Menu.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - Services: "wuauserv"
MsConfig - Services: "wscsvc"
MsConfig - Services: "XAMPP"
MsConfig - Services: "Apache2.2"
MsConfig - Services: "W32Time"
MsConfig - Services: "gusvc"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk - C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE - (WinZip Computing LP)
MsConfig - StartUpFolder: C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Dropbox.lnk - C:\Documents and Settings\Geoff\Application Data\Dropbox\bin\Dropbox.exe - ()
MsConfig - StartUpReg: Advanced SystemCare 3 - hkey= - key= - C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
MsConfig - StartUpReg: autodetect - hkey= - key= - File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SmartDefrag - hkey= - key= - C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (IObit)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9322BD74-10D8-BCD8-88DD-0547EF28924B} - Browser Customizations
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8AA1228-C1CE-D285-6FB1-35C724E58AF4} - Browser Customizations
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F7A35811-931E-4A64-2BCE-61ABE072E9E8} - NetShow
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\INF\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/05/13 07:48:39 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/13 11:56:16 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
[2010/05/13 09:12:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Geoff\Recent
[2010/05/11 10:30:00 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/05/11 10:30:00 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/05/11 09:17:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geoff\My Documents\virus
[2010/05/11 08:23:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2010/05/11 08:23:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2010/05/11 08:22:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geoff\Local Settings\Application Data\Downloaded Installations
[2010/05/11 08:02:17 | 000,029,640 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ImmunetSelfProtect.sys
[2010/05/11 08:02:16 | 000,020,040 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ImmunetMonitor.sys
[2010/05/11 08:02:13 | 000,038,856 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ImmunetProtect.sys
[2010/05/11 08:02:10 | 000,000,000 | ---D | C] -- C:\Program Files\ClamAV for Windows
[2010/05/06 10:13:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geoff\My Documents\opera server
[2010/05/05 10:06:47 | 000,000,000 | ---D | C] -- C:\Program Files\Firebird
[2010/05/05 08:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geoff\My Documents\Server stuff
[2010/04/26 11:45:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Consortium folder
[2010/04/22 11:03:47 | 000,000,000 | ---D | C] -- C:\Program Files\Plone 3
[2010/04/20 15:29:15 | 000,044,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2010/04/20 15:29:15 | 000,021,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2010/04/20 15:29:15 | 000,017,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll.mui
[2010/04/20 15:29:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2010/04/20 15:29:14 | 000,015,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl.mui
[2010/04/20 15:29:13 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/13 11:56:23 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
[2010/05/13 10:24:34 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{84324C1C-EB03-415B-BDD6-41ACF51A6E10}.job
[2010/05/13 07:48:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/13 07:48:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/12 16:35:51 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\Geoff\NTUSER.DAT
[2010/05/12 16:35:47 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Geoff\ntuser.ini
[2010/05/12 16:35:33 | 012,155,008 | -H-- | M] () -- C:\Documents and Settings\Geoff\Local Settings\Application Data\IconCache.db
[2010/05/12 14:07:46 | 000,003,429 | ---- | M] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/05/12 13:15:52 | 733,419,520 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\ubuntu-10.04-desktop-i386.iso
[2010/05/11 11:55:37 | 000,539,560 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/11 11:55:37 | 000,456,804 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/11 11:55:37 | 000,075,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/11 11:01:36 | 000,001,005 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/11 10:47:31 | 000,281,376 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/05/11 10:47:22 | 000,027,936 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/05/11 10:33:04 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/11 09:07:36 | 000,001,292 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/05/11 09:07:35 | 000,001,868 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/05/11 08:41:14 | 000,000,442 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/05/11 08:37:45 | 000,000,000 | ---- | M] () -- C:\rollback.ini
[2010/05/11 08:02:11 | 000,038,856 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ImmunetProtect.sys
[2010/05/11 08:02:11 | 000,029,640 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ImmunetSelfProtect.sys
[2010/05/11 08:02:11 | 000,020,040 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ImmunetMonitor.sys
[2010/05/11 07:58:54 | 001,474,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2010/05/10 17:03:46 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Geoff\Local Settings\Application Data\PUTTY.RND
[2010/05/10 09:39:08 | 000,158,275 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\milestone sept.pdf
[2010/05/06 12:53:35 | 000,000,130 | ---- | M] () -- C:\WINDOWS\cfplogvw.INI
[2010/05/05 16:31:58 | 001,873,167 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\Milestone report April 2010 draft 5-5-10.pdf
[2010/05/05 14:15:17 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\LASRA test is a combination of two tests.doc
[2010/04/30 16:09:33 | 000,127,560 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\Looseness1eh.pdf
[2010/04/30 08:16:57 | 000,182,934 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\Step-by-step Installation Guide for Ubuntu - MoodleDocs.mht
[2010/04/23 15:00:18 | 000,272,660 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\Build your own email server with Postfix TuxRadar Linux.mht
[2010/04/23 08:58:42 | 000,547,125 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\Advanced Year 2 2010 - Unit 10.pdf
[2010/04/23 08:54:59 | 000,075,253 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\cromogenia stuff.pdf
[2010/04/20 14:08:50 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Geoff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/20 14:08:10 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\Geoffs on reception.lnk
[2010/04/20 09:10:39 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/04/16 14:57:52 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\nz branding.doc
[2010/04/16 11:37:02 | 000,153,668 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\moo_dle_rOW.pdf
[2010/04/16 11:28:20 | 000,839,022 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\A New Approach to Aqueous Degreasing.pdf
[2010/04/15 13:06:50 | 000,001,008 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\Dropbox.lnk
[2010/04/14 09:21:54 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\Recipes.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/12 13:14:30 | 733,419,520 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\ubuntu-10.04-desktop-i386.iso
[2010/05/11 08:41:11 | 000,000,442 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/05/11 08:37:56 | 000,281,376 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/05/11 08:37:56 | 000,027,936 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/05/11 08:37:56 | 000,001,868 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/05/11 08:37:56 | 000,001,292 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/05/11 08:37:45 | 000,000,000 | ---- | C] () -- C:\rollback.ini
[2010/05/10 09:39:08 | 000,158,275 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\milestone sept.pdf
[2010/05/06 14:48:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Geoff\Local Settings\Application Data\PUTTY.RND
[2010/05/06 12:53:35 | 000,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI
[2010/05/05 16:31:48 | 001,873,167 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\Milestone report April 2010 draft 5-5-10.pdf
[2010/05/05 14:15:17 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\LASRA test is a combination of two tests.doc
[2010/04/30 16:09:29 | 000,127,560 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\Looseness1eh.pdf
[2010/04/30 08:16:53 | 000,182,934 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\Step-by-step Installation Guide for Ubuntu - MoodleDocs.mht
[2010/04/23 15:00:10 | 000,272,660 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\Build your own email server with Postfix TuxRadar Linux.mht
[2010/04/23 08:58:37 | 000,547,125 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\Advanced Year 2 2010 - Unit 10.pdf
[2010/04/23 08:54:51 | 000,075,253 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\cromogenia stuff.pdf
[2010/04/20 14:08:51 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\Geoffs on reception.lnk
[2010/04/16 14:57:52 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\nz branding.doc
[2010/04/16 11:36:52 | 000,153,668 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\moo_dle_rOW.pdf
[2010/04/16 11:28:14 | 000,839,022 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\A New Approach to Aqueous Degreasing.pdf
[2010/04/14 14:23:18 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/04/14 09:21:54 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\Recipes.lnk
[2010/04/07 10:43:08 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2010/01/22 15:06:39 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2010/01/12 14:50:44 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/12/17 10:02:18 | 000,000,049 | ---- | C] () -- C:\WINDOWS\SW_Win2000X24.DLL
[2009/12/17 10:02:14 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\FreeImage3.dll
[2009/12/17 10:02:14 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\FreeImage.dll
[2009/12/17 10:02:14 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\DVM.dll
[2009/12/15 10:42:18 | 000,004,102 | ---- | C] () -- C:\WINDOWS\scad3.INI
[2009/10/23 12:54:23 | 000,186,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\StkCSF.sys
[2009/08/14 13:11:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009/08/07 13:47:36 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/07/27 11:27:12 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2009/06/18 15:24:30 | 000,093,362 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2009/06/18 15:24:30 | 000,043,528 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2009/06/08 15:10:22 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/06/05 15:33:52 | 000,001,633 | ---- | C] () -- C:\WINDOWS\INMAGIC.INI
[2009/05/26 13:36:23 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\nvRegDev.dll
[2009/05/18 11:26:45 | 000,000,171 | ---- | C] () -- C:\WINDOWS\icecast2.ini
[2009/04/21 15:10:31 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/21 15:10:31 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/18 15:09:48 | 000,005,492 | ---- | C] () -- C:\WINDOWS\my.ini
[2009/03/06 08:26:45 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/02/11 13:28:06 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2009/02/11 13:25:43 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/11 07:06:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/11 01:59:00 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\property.dll
[2009/02/10 14:58:18 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/02/10 14:56:53 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2009/02/10 14:56:38 | 000,139,264 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2009/02/10 14:56:07 | 000,003,429 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/02/10 14:55:57 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe


< MD5 for: AGP440.SYS >
[2004/08/04 11:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\Documents and Settings\Geoff\My Documents\My EBooks\XP_SP2\I386\sp2.cab:AGP440.sys
[2007/11/30 23:36:18 | 019,995,189 | ---- | M] () .cab file -- C:\Documents and Settings\Geoff\My Documents\My EBooks\XP_SP2\I386\sp3.cab:AGP440.sys
[2004/08/05 00:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2007/11/30 23:36:18 | 019,995,189 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2007/11/30 23:36:18 | 019,995,189 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2007/11/30 17:31:08 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=A42ABFAEE59A1DC0E47014E7B5D76AD6 -- C:\Documents and Settings\Geoff\My Documents\agp440.sys
[2007/11/30 16:31:08 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=A42ABFAEE59A1DC0E47014E7B5D76AD6 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2007/11/30 16:31:08 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=A42ABFAEE59A1DC0E47014E7B5D76AD6 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2007/11/30 16:31:08 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=A42ABFAEE59A1DC0E47014E7B5D76AD6 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 11:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\Documents and Settings\Geoff\My Documents\My EBooks\XP_SP2\I386\sp2.cab:atapi.sys
[2007/11/30 23:36:18 | 019,995,189 | ---- | M] () .cab file -- C:\Documents and Settings\Geoff\My Documents\My EBooks\XP_SP2\I386\sp3.cab:atapi.sys
[2004/08/05 00:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2007/11/30 23:36:18 | 019,995,189 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2007/11/30 23:36:18 | 019,995,189 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2007/11/30 17:24:44 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=335BB30ED68CF3DC0EE2BDDB438B6A9B -- C:\Documents and Settings\Geoff\My Documents\atapi.sys
[2007/11/30 16:24:44 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=335BB30ED68CF3DC0EE2BDDB438B6A9B -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2007/11/30 16:24:44 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=335BB30ED68CF3DC0EE2BDDB438B6A9B -- C:\WINDOWS\system32\dllcache\atapi.sys
[2007/11/30 16:24:44 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=335BB30ED68CF3DC0EE2BDDB438B6A9B -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/05 00:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/05 00:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007/11/30 23:25:36 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=086FFA8479114AE3ECE616D7EB848577 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2007/11/30 23:25:36 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=086FFA8479114AE3ECE616D7EB848577 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/05 00:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2007/11/30 23:25:48 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=327309E36308F9DFB8D4699DF384D421 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2007/11/30 23:25:48 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=327309E36308F9DFB8D4699DF384D421 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/05 00:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/05 00:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2007/11/30 23:25:52 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=625D7B39B09AB60A683AF4B95575056E -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2007/11/30 23:25:52 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=625D7B39B09AB60A683AF4B95575056E -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/01/12 14:50:45 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2009/02/11 03:24:39 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/02/11 03:24:39 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/02/11 03:24:39 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/11 08:02:11 | 000,020,040 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\system32\drivers\ImmunetMonitor.sys
[2010/05/11 08:02:11 | 000,038,856 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\system32\drivers\ImmunetProtect.sys
[2010/05/11 08:02:11 | 000,029,640 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\system32\drivers\ImmunetSelfProtect.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F64C164
< End of report >


OTL Extras logfile created on: 13/05/2010 11:58:08 a.m. - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Geoff\Desktop
Windows XP Home Edition Service Pack 3, v.3264 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001409 | Country: New Zealand | Language: ENZ | Date Format: d/MM/yyyy

959.00 Mb Total Physical Memory | 373.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1485 1485 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 32.05 Gb Free Space | 43.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TECHOFFICE-3
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Disabled:@xpsp2res.dll,-22017
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Opera 10 Beta\opera.exe" = C:\Program Files\Opera 10 Beta\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Documents and Settings\Geoff\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Geoff\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08498FF9-6C9B-4FC2-8DE1-BD98C89CC220}" = SiSRaidPackage
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{148C4722-1A30-40D8-BBA8-C395BD01CF9D}" = Opera 10.10
"{1C00A3F1-6DA0-49F8-94E4-01AB6FC01033}" = Nero 7 Essentials
"{23F79416-CAD1-41BF-99A3-040F6C814AAA}" = NVIDIA Photoshop Plug-ins
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4ACBBFC6-3F39-48DE-8D85-182736B2749B}" = Garmin MapSource
"{4CE6B3C4-D8E2-4A5D-BEF5-5B69AF843B0C}" = PC Connectivity Solution
"{635C3D63-D901-4119-9AD2-852D10DCB937}" = 3dem
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{7148F0A8-6813-11D6-A77B-00B0D0142160}" = Java 2 Runtime Environment, SE v1.4.2_16
"{7575BB60-EBB7-4E39-926D-F7FF406DAC62}" = Inmagic DBSearchWorks Runtime 9.00
"{7B18E7E2-AFCA-4CBE-8CD5-3613315AB262}" = ArcGIS Explorer
"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Telecom Connection Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A8D93648-9F7F-407D-915C-62044644C3DA}" = MSI to redistribute MS VS2005 CRT libraries
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.2
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C3EBEF79-DE34-44AE-8774-F6A17ABE27B2}" = Garmin nRoute
"{CEAEEFA6-DEBC-4B16-8F04-84C81440CA32}" = Garmin Training Center 3.4.3
"{D88C3E7C-1DA6-4AD7-97FC-75BC8705B266}" = runtime
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}" = U3Launcher
"{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{F354F255-CD79-438C-B0CC-106665D0A2AB}" = IUCLID 5
"{F41D214F-FFE8-4A71-8C79-C21D5AB3C603}" = Systat 13 Manuals
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"ASIO4ALL" = ASIO4ALL
"Canon LBP5000" = Canon LBP5000
"CCleaner" = CCleaner (remove only)
"Convert Image To PDF_is1" = Convert Image To PDF
"DAQSTANDARD" = DAQSTANDARD
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dem3d" = dem3d
"EAGLE 5.4.0" = EAGLE 5.4.0
"Exact Audio Copy" = Exact Audio Copy 0.99pb5
"exe" = eXe -- eLearning XHTML editor
"foobar2000" = foobar2000 v0.9.6.9
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"IE7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Immunet Protect" = ClamAV for Windows
"IObit SmartDefrag Beta5.01_is1" = IObit SmartDefrag
"IsoBuster Toolbar" = IsoBuster Toolbar
"IsoBuster_is1" = IsoBuster 2.7
"Jack v1.9.5" = Jack v1.9.5
"LTspice IV" = LTspice IV
"MapCenter (Family 963)" = MapCenter - Free Open GPS NZ Autorouting
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"nLite_is1" = nLite 1.4.7
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa2" = Picasa 2
"Plone_is1" = Plone (version 3.1.7) (build 9169)
"SiS VGA Driver" = SiS 661FX
"VLC media player" = VLC media player 1.0.0
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 1.0
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XviD_is1" = XviD 1.1 final uninstall
"ZoneAlarm" = ZoneAlarm

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1343024091-1580436667-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/04/2010 11:13:23 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> no listening
sockets available, shutting down .

Error - 5/04/2010 11:13:23 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> Unable
to open logs .

Error - 6/04/2010 4:09:00 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> (OS 10048)Only
one usage of each socket address (protocol/network address/port) is normally permitted.
: make_sock: could not bind to address 0.0.0.0:80 .

Error - 6/04/2010 4:09:00 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> no listening
sockets available, shutting down .

Error - 6/04/2010 4:09:00 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> Unable
to open logs .

Error - 7/04/2010 4:29:11 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> (OS 10048)Only
one usage of each socket address (protocol/network address/port) is normally permitted.
: make_sock: could not bind to address 0.0.0.0:80 .

Error - 7/04/2010 4:29:11 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> no listening
sockets available, shutting down .

Error - 7/04/2010 4:29:11 p.m. | Computer Name = TECHOFFICE-3 | Source = Apache Service | ID = 3299
Description = The Apache service named reported the following error: >>> Unable
to open logs .

Error - 13/04/2010 12:01:28 a.m. | Computer Name = TECHOFFICE-3 | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Word.

Error - 25/04/2010 6:17:14 p.m. | Computer Name = TECHOFFICE-3 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.3264, fault address 0x00036d4a.

[ System Events ]
Error - 10/05/2010 7:28:35 p.m. | Computer Name = TECHOFFICE-3 | Source = Service Control Manager | ID = 7000
Description = The ASInsHelp service failed to start due to the following error:
%%2

Error - 10/05/2010 7:28:35 p.m. | Computer Name = TECHOFFICE-3 | Source = Service Control Manager | ID = 7023
Description = The Human Interface Device Access service terminated with the following
error: %%126

Error - 11/05/2010 3:52:40 p.m. | Computer Name = TECHOFFICE-3 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 11/05/2010 3:53:01 p.m. | Computer Name = TECHOFFICE-3 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 11/05/2010 3:54:00 p.m. | Computer Name = TECHOFFICE-3 | Source = Service Control Manager | ID = 7000
Description = The ASInsHelp service failed to start due to the following error:
%%2

Error - 11/05/2010 3:54:00 p.m. | Computer Name = TECHOFFICE-3 | Source = Service Control Manager | ID = 7023
Description = The Human Interface Device Access service terminated with the following
error: %%126

Error - 12/05/2010 3:48:19 p.m. | Computer Name = TECHOFFICE-3 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/05/2010 3:48:34 p.m. | Computer Name = TECHOFFICE-3 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/05/2010 3:49:36 p.m. | Computer Name = TECHOFFICE-3 | Source = Service Control Manager | ID = 7000
Description = The ASInsHelp service failed to start due to the following error:
%%2

Error - 12/05/2010 3:49:36 p.m. | Computer Name = TECHOFFICE-3 | Source = Service Control Manager | ID = 7023
Description = The Human Interface Device Access service terminated with the following
error: %%126


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 12 May 2010 - 07:58 PM

Hi,

please run a scan with gmer next:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 12 May 2010 - 08:34 PM

W32.Alureon Trojan

Hi Myrti,

Have carried out instruction. PC frooze after completion, requiring restart. Not sure if Clam Av was actually disconnected, though I pressed exit on taskbar icon.

Regards,



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-13 13:25:48
Windows 5.1.2600 Service Pack 3, v.3264
Running: lbh7c1fr.exe; Driver: C:\DOCUME~1\Geoff\LOCALS~1\Temp\uxtiiaow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwCreateKey [0xABF17EA6]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwDeleteKey [0xABF181C2]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwDeleteValueKey [0xABF182CC]
SSDT spnm.sys ZwEnumerateKey [0xF7575DA4]
SSDT spnm.sys ZwEnumerateValueKey [0xF7576132]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwOpenKey [0xABF18038]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwOpenProcess [0xABF17CCE]
SSDT spnm.sys ZwQueryKey [0xF757620A]
SSDT spnm.sys ZwQueryValueKey [0xF757608A]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwSetValueKey [0xABF18410]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwTerminateProcess [0xABF17E6E]

INT 0x62 ? 863D8BF8
INT 0x74 ? 8595EBF8
INT 0x82 ? 863D8BF8
INT 0x83 ? 863DABF8
INT 0x84 ? 8595EBF8
INT 0x94 ? 8595EBF8
INT 0xB4 ? 8595EBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 192 804E49BC 2 Bytes [A4, 5D] {MOVSB ; POP EBP}
.text ntoskrnl.exe!ZwYieldExecution + 2F6 804E4B20 2 Bytes [0A, 62]
.text ntoskrnl.exe!ZwYieldExecution + 33A 804E4B64 2 Bytes [8A, 60]
? spnm.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F69448AC 5 Bytes JMP 8595E1D8
.text a4sb88bl.SYS F68F3386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a4sb88bl.SYS F68F33AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a4sb88bl.SYS F68F33C4 3 Bytes [00, 80, 02]
.text a4sb88bl.SYS F68F33C9 1 Byte [30]
.text a4sb88bl.SYS F68F33C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[244] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!CreateWindowExW 7E41F32B 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!UnhookWindowsHookEx 7E41F883 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!CallNextHookEx 7E42054E 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!DialogBoxParamW 7E425204 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!DialogBoxIndirectParamW 7E432082 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!MessageBoxIndirectA 7E43A08A 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!DialogBoxParamA 7E43B14C 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!MessageBoxExW 7E4507F8 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!MessageBoxExA 7E45081C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!DialogBoxIndirectParamA 7E456D78 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] USER32.dll!MessageBoxIndirectW 7E4664CD 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[368] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!CreateWindowExW 7E41F32B 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!UnhookWindowsHookEx 7E41F883 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!CallNextHookEx 7E42054E 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!DialogBoxParamW 7E425204 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!DialogBoxIndirectParamW 7E432082 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!MessageBoxIndirectA 7E43A08A 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!DialogBoxParamA 7E43B14C 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!MessageBoxExW 7E4507F8 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!MessageBoxExA 7E45081C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!DialogBoxIndirectParamA 7E456D78 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] USER32.dll!MessageBoxIndirectW 7E4664CD 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3128] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!CreateWindowExW 7E41F32B 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxParamW 7E425204 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxIndirectParamW 7E432082 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxIndirectA 7E43A08A 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxParamA 7E43B14C 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxExW 7E4507F8 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxExA 7E45081C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!DialogBoxIndirectParamA 7E456D78 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3600] USER32.dll!MessageBoxIndirectW 7E4664CD 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 863DA2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7588DDC] spnm.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7588E30] spnm.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F755E042] spnm.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F755E13E] spnm.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F755E0C0] spnm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F755E800] spnm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F755E6D6] spnm.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F756DB90] spnm.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8595E2D8
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlInitUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!swprintf] 001CBA86
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeSetEvent] C61AEB00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 001C8986
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 86C61200
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00001C8B
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmFreeMappingAddress] 96868801
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 8800001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 001CB286
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmUnmapIoSpace] 88968B00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8900001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IofCompleteRequest] 001CA496
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlCompareUnicodeString] C6168B00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IofCallDriver] 001CC186
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 428A0A00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] C286880C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoConnectInterrupt] 8B00001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoDetachDevice] 24A48DFA
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeInitializeEvent] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeCancelTimer] 8D3F0304
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CB033043
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlInitAnsiString] 0673C13B
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] C13B0003
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoQueueWorkItem] 8366FA72
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmMapIoSpace] 75000E7B
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoReportDetectedDevice] 307B8D00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00AA840F
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 83660000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!PoRequestPowerIrp] C6647400
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CC386
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 4F8B0200
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!sprintf] 968D5140
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00001C98
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ObfDereferenceObject] 22F6E852
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 478B0000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 50016A40
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ZwClose] 1CB48E8D
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E8510000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 000022E4
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A18538B
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 868D5200
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoCreateDevice] 00001CA0
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 22D2E850
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 4B8B0000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 51016A18
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ZwOpenKey] 1CBC968D
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlFreeUnicodeString] E8520000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoStartTimer] 000022C0
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeInitializeTimer] 8A05478A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoInitializeTimer] 001CC38E
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeInitializeDpc] 30C48300
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeInitializeSpinLock] 1CC58688
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoInitializeIrp] 80E90000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ZwCreateKey] C6000000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CC386
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 438B0100
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ZwSetValueKey] 8E8D5018
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeInsertQueueDpc] 00001C98
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 2292E851
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoStartPacket] 538B0000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 52016A18
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 1CB4868D
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoFreeMdl] E8500000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmUnlockPages] 00002280
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8A05478A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 001CC38E
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 1CC58688
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeSynchronizeExecution] 43EB0000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoStartNextPacket] 320C538A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeBugCheckEx] 88F93BC0
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CC396
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeSetTimer] F6317300
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!_allmul] 74070647
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmProbeAndLockPages] 75C0841A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!_except_handler3] 05578A0B
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!PoSetPowerState] 968801B0
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00001CC5
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B60F66
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 533B6604
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!_aulldiv] 03087408
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!strstr] 72F93B3F
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!_strupr] 8A09EBDA
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeQuerySystemTime] 86880547
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 00001CC5
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!KeTickCount] 88084B8A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 001CC68E
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoDeleteDevice] 40578B00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 8D52006A
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoAllocateWorkItem] 001CC886
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoAllocateIrp] 11E85000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoAllocateMdl] 8B000022
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CC08E
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmLockPagableDataSection] C4968B00
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8900001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CCC8E
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!ExFreePoolWithTag] D0968900
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoFreeIrp] 8B00001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!IoFreeWorkItem] 016A4047
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!InitSafeBootMode] D4C68150
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!RtlCompareMemory] 5600001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!PoCallDriver] 0021E7E8
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!memmove] 18C48300
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[ntoskrnl.exe!MmHighestUserAddress] 5D5B5E5F
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\a4sb88bl.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3128] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 863671F8

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)

Device \Driver\sptd \Device\4182332504 spnm.sys
Device \Driver\usbohci \Device\USBPDO-0 8595D1F8
Device \Driver\usbohci \Device\USBPDO-1 8595D1F8
Device \Driver\usbehci \Device\USBPDO-2 8596D500
Device \Driver\usbohci \Device\USBPDO-3 8595D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 863691F8
Device \Driver\Cdrom \Device\CdRom0 8597D1F8
Device \Driver\Cdrom \Device\CdRom1 8597D1F8
Device \Driver\atapi \Device\Ide\IdePort0 [F74D7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F74D7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 [F74D7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\PCI_PNP2504 \Device\0000003c spnm.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8533E500
Device \Driver\NetBT \Device\NetbiosSmb 8533E500
Device \Driver\usbohci \Device\USBFDO-0 8595D1F8
Device \Driver\usbohci \Device\USBFDO-1 8595D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 853321F8
Device \Driver\usbohci \Device\USBFDO-2 8595D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 853321F8
Device \Driver\usbehci \Device\USBFDO-3 8596D500
Device \Driver\Ftdisk \Device\FtControl 863691F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C92E3E6-76FB-4A84-B507-EDBA9E867D73} 8533E500
Device \Driver\a4sb88bl \Device\Scsi\a4sb88bl1 858E91F8
Device \Driver\SiSRaid \Device\Scsi\SiSRaid1 863681F8
Device \Driver\SiSRaid \Device\Scsi\SiSRaid1Port2Path0Target0Lun0 863681F8
Device \Driver\a4sb88bl \Device\Scsi\a4sb88bl1Port3Path0Target0Lun0 858E91F8
Device \FileSystem\Cdfs \Cdfs 8542E500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x64 0x39 0x94 0xF7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xF0 0xFD 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x32 0x0A 0x9E 0xD2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x59 0x03 0x13 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xF0 0xFD 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x32 0x0A 0x9E 0xD2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x59 0x03 0x13 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xF0 0xFD 0x05 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x32 0x0A 0x9E 0xD2 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x64 0x39 0x94 0xF7 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x29 0xF0 0xFD 0x05 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x32 0x0A 0x9E 0xD2 ...

---- EOF - GMER 1.0.15 ----

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 13 May 2010 - 10:21 AM

Hi,

ClamAV does not have real time protection. This means that it will not try to prevent infections when they occur as other anti virus programs do. It only has a resident or on demand scanner only. I would suggest that you use an anti virus program with on access scan, this way, ideally, every time an infection tries to access one of your files, it will be detected and blocked.
Real time protection is something that isn't really needed on linux installs so ClamAV is great for linux servers, however for a windows home PC I would suggest to use something different.
Two good antivirus programs free for non-commercial home use with on access scanner are Avast! and Antivir
Note: You should only have one antivirus with on access scanner installed at a time. Having more than one on access scanner installed at once is likely to cause conflicts and may well decrease your overall protection as wellas impairing the performance of your PC.
My personal impression is that Avira is lighter than Avast, but that usually


Can you please tell me in what file ClamAV sees Alureon? Do you have any symptoms besides ClamAV seeing the ifnection?

regards myrti, a fellow (k)ubuntu passionate smile.gif

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 13 May 2010 - 05:31 PM

Dear Myrti,

Thank you for the guidance. We have recently installed both ClamAV for Windows and ClamWIN on machines. On a fresh install of Windows, or machines which have had no internet access, Clam reports no infections. On two machines which have had internet access and have been using Comodo previously I have seen this W32.Alureon notice. In both cases the suspected file is to be found in C:\WINDOWS\System32\msvcrt.dll; on at least one occasion it is written as MSVCRT.DLL in uppercase. On the PC for which I've sent in scans the 'threats detected' count has gone up from 25 yesterday to 39 today, all relating to this one file. ClamAV gives no further information. I'm just wondering if its a Service Pack 3 thing, because re-installing Windows XP home on another PC yesterday it crashed at this exact file.

Ubuntu server rocks!

Best regards,

Geoff

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 13 May 2010 - 06:09 PM

Hi,

It could be a flase positive. On the PC were the alureon is found in msvcrt.dll please upload it:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.
C:\WINDOWS\System32\msvcrt.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 13 May 2010 - 06:47 PM

Hi Myrti,

Carried out your instructions with the following response, which I've copied and pasted.

Filename: ARKC.tmp
Status: Scan finished. 3 out of 19 scanners reported malware.
Scan taken on: Sat 16 May 2009 17:54:58 (CET) Permalink

File size: 343040 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 17cae0328d31b13db7109a88979cbb24
SHA1: 6121f8c249905c5186f368c1c5969c924ca4a93e

Permalink : http://virusscan.jotti.org/en/scanresult/7...014e995c29cd1e5

Interestingly ClamAV on line found nothing unusual.

Best Regards,

Geoff

#10 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 13 May 2010 - 07:12 PM

Sorry Myrti,

I promise I followed your instructions to the letter. so don't know what happened there.

Here's a run again.

http://virusscan.jotti.org/en/scanresult/7...5667476d66800d6

Filename: msvcrt.dll
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Fri 14 May 2010 01:51:23 (CET) Permalink


File size: 343040 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 17cae0328d31b13db7109a88979cbb24
SHA1: 6121f8c249905c5186f368c1c5969c924ca4a93e

Regards,

Geoff




#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 13 May 2010 - 07:26 PM

Hi,

the scan is showing that ClamAV does not detect anything in that file. Can you please update your ClamAv and run another scan. Does it still detect Alureon on your PC?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 13 May 2010 - 07:40 PM

Hi Myrti,

Yep! 37 times in the same msvcrt.dll file. I thought it strange - but how come the initial file search dug out Alureon - in a file of exactly the same size and description but by a different name - doesn't that make you suspicious? Ok I ran it again, but followed the exact same procedure and got a file with a different name - albeit the msvcrt.dll file we wanted to scan and all's fine. Do you know if this tmp file is a known issue, and could it be reinstalling itself somehow.

I know nothing about viruses, but am getting the Heebie-Jeebies from this process. I noticed on the first scan that AntiVir came back with a result. Do you think I should try installing this and give it a run?

Thanks and best regards,

Geoff


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 13 May 2010 - 07:55 PM

Hi,

first please try the following:

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Afterwards please run a fresh scan with ClamAV and let me know if the detections in the temporary file is still present. It can't hurt to run a scan with Avira too.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 geoff798

geoff798
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 13 May 2010 - 08:32 PM

Hi Myrti,

I've uploaded an image of the latest ClamAv scan. This is the cloud application version, so it is active only when files are being checked. By switching the machine off it reconnects to the cloud and on we go! It came back with the same stuff as last time, but only 36 times! Installed the Avira, and have included the log below.

Best regards, thanks for all your help!

Geoff



Avira AntiVir Personal
Report file date: Friday, 14 May 2010 13:22

Scanning for 2114382 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3, v.3264) [5.1.2600]
Boot mode : Normally booted
Username : Geoff
Computer name : TECHOFFICE-3

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 19/04/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 1/04/2010 01:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/04/2010 01:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 7/03/2010 07:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 12:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 22:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 08:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 06:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 05:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 5/03/2010 00:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 01:20:05
VBASE006.VDF : 7.10.6.83 2048 Bytes 15/04/2010 01:20:05
VBASE007.VDF : 7.10.6.84 2048 Bytes 15/04/2010 01:20:06
VBASE008.VDF : 7.10.6.85 2048 Bytes 15/04/2010 01:20:06
VBASE009.VDF : 7.10.6.86 2048 Bytes 15/04/2010 01:20:06
VBASE010.VDF : 7.10.6.87 2048 Bytes 15/04/2010 01:20:07
VBASE011.VDF : 7.10.6.88 2048 Bytes 15/04/2010 01:20:07
VBASE012.VDF : 7.10.6.89 2048 Bytes 15/04/2010 01:20:07
VBASE013.VDF : 7.10.6.90 2048 Bytes 15/04/2010 01:20:08
VBASE014.VDF : 7.10.6.123 126464 Bytes 19/04/2010 01:20:09
VBASE015.VDF : 7.10.6.152 123392 Bytes 21/04/2010 01:20:10
VBASE016.VDF : 7.10.6.178 122880 Bytes 22/04/2010 01:20:11
VBASE017.VDF : 7.10.6.206 120320 Bytes 26/04/2010 01:20:12
VBASE018.VDF : 7.10.6.232 99328 Bytes 28/04/2010 01:20:13
VBASE019.VDF : 7.10.7.2 155648 Bytes 30/04/2010 01:20:14
VBASE020.VDF : 7.10.7.26 119808 Bytes 4/05/2010 01:20:15
VBASE021.VDF : 7.10.7.51 118272 Bytes 6/05/2010 01:20:15
VBASE022.VDF : 7.10.7.75 404992 Bytes 10/05/2010 01:20:18
VBASE023.VDF : 7.10.7.76 2048 Bytes 10/05/2010 01:20:18
VBASE024.VDF : 7.10.7.77 2048 Bytes 10/05/2010 01:20:19
VBASE025.VDF : 7.10.7.78 2048 Bytes 10/05/2010 01:20:19
VBASE026.VDF : 7.10.7.79 2048 Bytes 10/05/2010 01:20:20
VBASE027.VDF : 7.10.7.80 2048 Bytes 10/05/2010 01:20:20
VBASE028.VDF : 7.10.7.81 2048 Bytes 10/05/2010 01:20:20
VBASE029.VDF : 7.10.7.82 2048 Bytes 10/05/2010 01:20:21
VBASE030.VDF : 7.10.7.83 2048 Bytes 10/05/2010 01:20:21
VBASE031.VDF : 7.10.7.97 125440 Bytes 13/05/2010 01:20:22
Engineversion : 8.2.1.242
AEVDF.DLL : 8.1.2.0 106868 Bytes 14/05/2010 01:20:46
AESCRIPT.DLL : 8.1.3.29 1343866 Bytes 14/05/2010 01:20:44
AESCN.DLL : 8.1.6.1 127347 Bytes 14/05/2010 01:20:41
AESBX.DLL : 8.1.3.1 254324 Bytes 14/05/2010 01:20:49
AERDL.DLL : 8.1.4.6 541043 Bytes 14/05/2010 01:20:39
AEPACK.DLL : 8.2.1.1 426358 Bytes 19/03/2010 01:34:51
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 14/05/2010 01:20:37
AEHEUR.DLL : 8.1.1.27 2670967 Bytes 14/05/2010 01:20:36
AEHELP.DLL : 8.1.11.3 242039 Bytes 1/04/2010 05:05:25
AEGEN.DLL : 8.1.3.9 377203 Bytes 14/05/2010 01:20:29
AEEMU.DLL : 8.1.2.0 393588 Bytes 14/05/2010 01:20:27
AECORE.DLL : 8.1.15.3 192886 Bytes 14/05/2010 01:20:25
AEBB.DLL : 8.1.1.0 53618 Bytes 14/05/2010 01:20:24
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 01:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 01:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 05:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 1/04/2010 01:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 1/04/2010 01:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 1/04/2010 01:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 25/01/2010 22:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 01:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 04:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 03:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 02:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 9/04/2010 03:14:29

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, 14 May 2010 13:22

The scan of running processes will be started
Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'SearchFilterHost.exe' - '1' Module(s) have been scanned
Scan process 'WINWORD.EXE' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'cidaemon.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'python.exe' - '1' Module(s) have been scanned
Scan process 'PythonService.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'locator.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'pg_ctl.exe' - '1' Module(s) have been scanned
Scan process 'cisvc.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
The registry was scanned ( '2286' files ).



End of the scan: Friday, 14 May 2010 13:24
Used time: 01:55 Minute(s)

The scan has been done completely.

0 Scanned directories
2770 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
2769 Files not concerned
6 Archives were scanned
1 Warnings
0 Notes

Attached Files



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:50 PM

Posted 14 May 2010 - 02:31 AM

Hi,

could you please upload the file to ClamAV as a FalsePositive.

Go here: http://cgi.clamav.net/sendvirus.cgi

Please enter a name and an email address where you can still be reached in a couple of days and make sure notify me is checked.

Upload the file and make sure that you click on False Positive for The file attached is:.

Enter a short description if you want and leave the rest unchanged.

Let me know once you're done (and please let me know when ClamAV replies)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users