Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had virus, now website has been hacked


  • This topic is locked This topic is locked
22 replies to this topic

#1 19brendan81

19brendan81

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 10 May 2010 - 11:51 PM

Hi Tom,

I had a virus that you helped me with before. Not sure what it was, but the main symptom was annoying google redirect. Solution thread is here:

http://www.bleepingcomputer.com/forums/ind...p;#entry1667563

About a month after this, sales from my online store stopped turning up. I had been hacked. I assume it was related to the above virus. My web host found the virus files online, deleted them and I changed passwords. Now, the exact same thing has happened again.

I dont know if there is still something on my PC that they are using, or if the problem is in the hosted files. Im currently deleting the hosted files and replacing them with clean ones, but I need to be certain there is nothing on my computer logging my keystrokes. Im extremely concerned as to how they got my password again after I changed it and deleted the bad files.

Please help!

Brendan

Moved from Malware Removal Logs to more appropriate Am I Infected forum ~ Hamluis.

Edited by Pandy, 11 May 2010 - 11:03 AM.
Moved back to Malware removal at the helper's request ~Pandy


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 11 May 2010 - 10:51 AM

Hi again smile.gif
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 19brendan81

19brendan81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 12 May 2010 - 05:45 AM

OTL.txt

OTL logfile created on: 12/05/2010 8:34:01 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Don\Desktop
Windows Vista Ultimate Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 46.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 78.12 Gb Total Space | 26.00 Gb Free Space | 33.28% Space Free | Partition Type: NTFS
Drive D: | 154.76 Gb Total Space | 154.36 Gb Free Space | 99.74% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DON-PC
Current User Name: Don
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/12 20:33:32 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
PRC - [2010/03/06 01:32:28 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/09/11 01:29:33 | 000,168,960 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmplayer.exe
PRC - [2008/10/29 16:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/04 09:02:20 | 000,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/08/01 14:50:14 | 000,245,760 | ---- | M] (Alcor Micro Corp.) -- C:\Program Files\UVC Video Camera\UVCSti.exe
PRC - [2008/05/07 12:41:56 | 002,162,688 | ---- | M] (Telstra) -- C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
PRC - [2008/03/01 22:28:41 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/01/11 19:54:31 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/12/21 12:01:02 | 000,151,552 | ---- | M] () -- C:\xampp\xampp-control.exe
PRC - [2007/07/06 13:06:52 | 004,669,440 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2006/10/27 14:16:48 | 012,813,096 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/12 20:33:32 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
MOD - [2006/11/02 19:44:49 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2006/11/02 19:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/08/04 23:45:16 | 005,779,456 | ---- | M] () [Auto | Stopped] -- c:\xampp\mysql\bin\mysqld-nt.exe -- (mysql)
SRV - [2008/07/30 18:53:08 | 000,587,776 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- c:\xampp\FileZillaFTP\FileZillaServer.exe -- (FileZilla Server)
SRV - [2008/06/15 03:02:12 | 000,017,408 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- c:\xampp\apache\bin\apache.exe -- (Apache2.2)
SRV - [2008/03/02 02:13:08 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/03/01 22:28:41 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/20 15:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV - [2008/08/01 14:39:48 | 000,239,616 | ---- | M] (CamVendor) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cam3820a.sys -- (Cam3820)
DRV - [2008/03/01 21:28:19 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2008/01/02 15:48:28 | 002,016,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/08/03 12:44:58 | 000,091,648 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/07/18 21:32:40 | 001,841,312 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/07/13 16:25:22 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/06/22 08:54:32 | 000,087,424 | ---- | M] (Cmotech Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmusbnet.sys -- (cmusbnet) WAN Driver @ 3GPP (6280)
DRV - [2007/03/02 07:19:44 | 000,240,128 | ---- | M] (PARADOX) [Kernel | Boot | Stopped] -- C:\Windows\system32\DRIVERS\royal.sys -- (OemBiosDevice)
DRV - [2006/12/13 17:31:56 | 000,087,040 | ---- | M] (Cmotech Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmusbser.sys -- (cmusbser)
DRV - [2006/11/02 19:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 19:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 19:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 19:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 19:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 19:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 19:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 19:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 19:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 19:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 19:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 19:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 19:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 19:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 19:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 19:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 19:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 19:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 19:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 19:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 19:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 19:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 19:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 19:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 19:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 19:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 19:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 19:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 19:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 19:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 19:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 19:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 19:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 19:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 18:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 18:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 18:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 18:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 18:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 18:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 17:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 17:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.sgtpepper.com.au/"
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


[2009/02/18 17:27:59 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Mozilla\Extensions
[2010/03/30 17:21:20 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions
[2009/08/22 18:12:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/19 17:49:46 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2009/08/27 20:32:48 | 000,000,000 | ---D | M] (Web Developer) -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/05/04 18:41:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/08 16:07:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (IE Developer Toolbar BHO) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BigPondWirelessBroadbandCM] C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe (Telstra)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [RunUVC] C:\Program Files\UVC Video Camera\RUNUVC.exe ()
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UVCSti] C:\Program Files\UVC Video Camera\UVCSti.exe (Alcor Micro Corp.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-au.cab (MSN Photo Upload Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.fujifilmimagine.com/imagine/ax/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\Windows\System32\avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Don\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Users\Don\Pictures\sick bobber.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/01 21:51:20 | 000,000,051 | -HS- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2006/11/02 21:18:47 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/05/11 18:29:12 | 000,000,000 | ---D | C] -- C:\site (new)
[2010/05/03 21:07:28 | 000,000,000 | ---D | C] -- C:\site (backup)
[2010/04/21 21:05:24 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\lathe tools
[2010/04/17 10:58:10 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\DCIM
[2010/04/17 05:41:12 | 000,000,000 | ---D | C] -- C:\Windows\LastGood
[2010/04/01 07:02:40 | 000,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\DivX
[2010/04/01 07:02:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2010/04/01 07:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/04/01 07:01:23 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/01 07:01:07 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2010/04/01 07:00:44 | 000,986,904 | ---- | C] (DivX, Inc. ) -- C:\Users\Don\Desktop\DivXInstaller.exe
[2010/03/31 20:41:53 | 000,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\Google
[2010/03/31 20:41:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2010/03/31 20:38:38 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/03/22 12:02:59 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/03/21 11:00:13 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
[2010/03/13 13:58:15 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\101NIKON
[2010/03/09 03:59:18 | 000,094,208 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\dpl100.dll
[2010/03/08 16:15:11 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/08 16:14:23 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/03/08 15:56:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/08 15:56:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/08 15:56:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/08 15:56:12 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/08 15:56:05 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/08 15:52:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/03 04:16:04 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl
[2010/02/27 11:42:33 | 000,000,000 | ---D | C] -- C:\PerfLogs
[2010/02/27 10:21:32 | 000,000,000 | ---D | C] -- C:\be3f5619a39ba2f059aa2ce679e7bc
[2010/02/21 17:15:02 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/02/21 17:14:29 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/02/20 05:27:36 | 000,720,384 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\DivX.dll
[2010/02/20 05:27:16 | 000,856,064 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\divx_xx0c.dll
[2010/02/20 05:27:16 | 000,856,064 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\divx_xx07.dll
[2010/02/20 05:27:16 | 000,847,872 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\divx_xx0a.dll
[2010/02/20 05:27:16 | 000,843,776 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\divx_xx16.dll
[2010/02/20 05:27:16 | 000,839,680 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\divx_xx11.dll
[2010/02/18 16:33:28 | 000,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\Zipeg
[2010/02/18 16:33:06 | 000,000,000 | ---D | C] -- C:\Users\Don\AppData\Local\com.zipeg
[2010/02/18 16:33:04 | 000,000,000 | ---D | C] -- C:\Program Files\Zipeg
[2010/02/18 16:32:31 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/02/18 16:32:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/14 14:39:54 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\Photos for Amy
[2010/02/12 18:18:38 | 000,000,000 | ---D | C] -- C:\Program Files\BeerSmith

========== Files - Modified Within 90 Days ==========

[2010/05/12 20:35:06 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/12 20:35:06 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/12 20:34:46 | 003,145,728 | -HS- | M] () -- C:\Users\Don\ntuser.dat
[2010/05/12 20:33:32 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
[2010/05/12 20:28:29 | 000,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{CE8E2186-348C-4D24-972D-53E3DA10290F}.job
[2010/05/12 18:35:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/12 12:36:49 | 001,298,141 | ---- | M] () -- C:\Users\Don\Desktop\sergeantpepper_com_au_zencart.sql
[2010/05/03 21:06:54 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2010/05/03 21:05:02 | 001,072,999 | ---- | M] () -- C:\Users\Don\Documents\Sergeant Pepper Statistics.docx
[2010/05/03 20:48:58 | 000,713,128 | ---- | M] () -- C:\Users\Don\Desktop\access_log
[2010/04/25 17:52:46 | 001,636,336 | ---- | M] () -- C:\Users\Don\Desktop\0425-raiders-furner.mp3
[2010/04/17 05:42:54 | 000,625,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/17 05:42:54 | 000,108,966 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/17 05:42:53 | 000,720,952 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/15 03:20:07 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/15 03:19:49 | 2136,465,408 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/15 03:18:17 | 001,885,834 | -H-- | M] () -- C:\Users\Don\AppData\Local\IconCache.db
[2010/04/05 10:22:23 | 000,047,104 | ---- | M] () -- C:\Users\Don\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/01 07:03:22 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/04/01 07:02:56 | 000,001,392 | ---- | M] () -- C:\Users\Don\Desktop\DivX Movies.lnk
[2010/04/01 07:02:37 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\DivX Plus Player.lnk
[2010/04/01 07:02:27 | 000,000,957 | ---- | M] () -- C:\Users\Public\Desktop\DivX Plus Converter.lnk
[2010/04/01 07:00:46 | 000,986,904 | ---- | M] (DivX, Inc. ) -- C:\Users\Don\Desktop\DivXInstaller.exe
[2010/03/31 21:03:17 | 000,043,789 | ---- | M] () -- C:\Users\Don\Documents\AutoSave_Greenhouse Plan.skp
[2010/03/31 20:58:14 | 000,043,789 | ---- | M] () -- C:\Users\Don\Documents\Greenhouse Plan.skp
[2010/03/31 20:39:02 | 000,001,902 | ---- | M] () -- C:\Users\Public\Desktop\Google SketchUp 7.lnk
[2010/03/10 02:20:28 | 000,102,112 | ---- | M] () -- C:\Users\Don\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/10 02:19:44 | 001,717,352 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/09 03:59:18 | 000,094,208 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\dpl100.dll
[2010/03/08 16:08:06 | 000,000,249 | ---- | M] () -- C:\Windows\system.ini
[2010/03/08 16:07:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/03 04:16:04 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl
[2010/02/27 10:14:18 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010/02/21 11:52:12 | 000,051,289 | ---- | M] () -- C:\Users\Don\Documents\manual.pdf
[2010/02/20 05:27:36 | 000,720,384 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\DivX.dll
[2010/02/20 05:27:16 | 000,856,064 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\divx_xx0c.dll
[2010/02/20 05:27:16 | 000,856,064 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\divx_xx07.dll
[2010/02/20 05:27:16 | 000,847,872 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\divx_xx0a.dll
[2010/02/20 05:27:16 | 000,843,776 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\divx_xx16.dll
[2010/02/20 05:27:16 | 000,839,680 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\divx_xx11.dll
[2010/02/12 18:18:48 | 000,000,816 | ---- | M] () -- C:\Users\Public\Desktop\BeerSmith.lnk

========== Files Created - No Company Name ==========

[2010/05/12 12:36:44 | 001,298,141 | ---- | C] () -- C:\Users\Don\Desktop\sergeantpepper_com_au_zencart.sql
[2010/05/03 20:48:57 | 000,713,128 | ---- | C] () -- C:\Users\Don\Desktop\access_log
[2010/04/25 17:52:41 | 001,636,336 | ---- | C] () -- C:\Users\Don\Desktop\0425-raiders-furner.mp3
[2010/04/01 07:02:56 | 000,001,392 | ---- | C] () -- C:\Users\Don\Desktop\DivX Movies.lnk
[2010/04/01 07:02:37 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\DivX Plus Player.lnk
[2010/04/01 07:02:27 | 000,000,957 | ---- | C] () -- C:\Users\Public\Desktop\DivX Plus Converter.lnk
[2010/04/01 06:49:33 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010/03/31 21:03:17 | 000,043,789 | ---- | C] () -- C:\Users\Don\Documents\AutoSave_Greenhouse Plan.skp
[2010/03/31 20:58:14 | 000,043,789 | ---- | C] () -- C:\Users\Don\Documents\Greenhouse Plan.skp
[2010/03/31 20:39:02 | 000,001,902 | ---- | C] () -- C:\Users\Public\Desktop\Google SketchUp 7.lnk
[2010/03/08 15:56:12 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/08 15:56:12 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/08 15:56:12 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/08 15:56:12 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/08 15:56:12 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/02/27 10:14:18 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/02/21 11:52:12 | 000,051,289 | ---- | C] () -- C:\Users\Don\Documents\manual.pdf
[2010/02/12 18:18:48 | 000,000,816 | ---- | C] () -- C:\Users\Public\Desktop\BeerSmith.lnk
[2010/01/28 18:04:38 | 000,002,554 | ---- | C] () -- C:\Windows\WAVEMIX.INI
[2008/11/22 11:37:22 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2008/11/22 11:34:58 | 000,000,025 | ---- | C] () -- C:\Windows\CDE RX610Asia.ini
[2008/03/01 22:34:35 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/03/01 21:23:40 | 001,174,000 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/03/01 21:23:40 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1302.dll
[2008/03/01 21:23:40 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/03/01 21:19:46 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008/01/02 15:57:36 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/01/02 15:47:22 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/01/02 15:47:22 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2006/11/02 22:34:23 | 000,080,010 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2006/11/02 22:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 17:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/12/19 12:08:05 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\EPSON
[2010/05/12 20:32:26 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\FileZilla
[2008/12/08 19:45:38 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Notepad++
[2010/05/04 18:39:06 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Zipeg
[2010/04/15 03:18:30 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/05/12 20:28:29 | 000,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{CE8E2186-348C-4D24-972D-53E3DA10290F}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/11/02 19:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006/11/02 19:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 19:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2006/11/02 19:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\ERDNT\cache\atapi.sys
[2010/03/21 10:57:14 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\drivers\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 19:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 19:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 19:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 19:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\ERDNT\cache\netlogon.dll
[2006/11/02 19:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\System32\netlogon.dll
[2006/11/02 19:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 19:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 19:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

< MD5 for: SCECLI.DLL >
[2006/11/02 19:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\ERDNT\cache\scecli.dll
[2006/11/02 19:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\System32\scecli.dll
[2006/11/02 19:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/10 02:49:34 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2010/03/10 02:49:34 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2006/11/02 19:47:18 | 000,228,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/03/02 02:07:15 | 000,223,232 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 20:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 20:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 20:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 20:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 20:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemdrive%\*.sys /90 /md5 >
[2010/04/15 03:19:49 | 2136,465,408 | -HS- | M] () Unable to obtain MD5 -- C:\hiberfil.sys
[2010/04/15 03:19:47 | 2450,391,040 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys
< End of report >


Its not generating the extra report? ran the scan twice with no luck.

Brendan

Edited by 19brendan81, 12 May 2010 - 06:06 AM.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 13 May 2010 - 09:20 AM

Hi,


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 19brendan81

19brendan81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 17 May 2010 - 06:58 PM

Hi Tom,

The computer keeps freezing when using GMER, but it is identifying a number of infections. IE explorer has some, it appears my hard drive has some, and there were others that I cant remember.

Should I keep trying to get you the log or can you advise how to proceed with the above information? Do you think I should be preparing to format my hard drive? It seems pretty bad.

Brendan

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 19 May 2010 - 02:34 AM

No, we will do something else smile.gif


Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 22 May 2010 - 11:27 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 24 May 2010 - 01:03 AM

Reopened by user request.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 19brendan81

19brendan81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 24 May 2010 - 09:45 PM

Combofix log....


ComboFix 10-05-23.06 - Don 24/05/2010 16:01:22.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.61.1033.18.2037.1198 [GMT 10:00]
Running from: c:\users\Don\Desktop\schrauber.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-24 06:06 . 2010-05-24 06:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-24 06:06 . 2010-05-24 06:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-11 08:29 . 2010-05-11 08:31 -------- d-----w- C:\site (new)
2010-05-03 11:07 . 2010-05-11 03:26 -------- d-----w- C:\site (backup)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 03:33 . 2010-02-12 08:18 -------- d-----w- c:\program files\BeerSmith
2010-05-14 13:05 . 2009-01-29 10:54 -------- d-----w- c:\users\Don\AppData\Roaming\FileZilla
2010-05-05 08:41 . 2009-07-06 10:49 -------- d-----w- c:\program files\WinMerge
2010-05-04 08:39 . 2010-02-18 06:33 -------- d-----w- c:\users\Don\AppData\Roaming\Zipeg
2010-05-03 11:06 . 2009-01-29 10:53 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-14 17:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-31 21:03 . 2010-03-31 21:02 -------- d-----w- c:\users\Don\AppData\Roaming\DivX
2010-03-31 16:18 . 2009-05-24 00:00 -------- d-----w- c:\users\Don\AppData\Roaming\Skype
2010-03-31 10:38 . 2010-03-31 10:38 -------- d-----w- c:\program files\Google
2010-03-21 00:57 . 2008-03-01 16:09 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-09 16:54 . 2010-03-31 03:59 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:50 . 2010-03-31 03:59 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-09 16:50 . 2010-03-31 03:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 16:50 . 2010-03-31 03:59 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2010-03-09 16:48 . 2010-03-31 03:59 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-09 16:20 . 2008-03-01 11:15 102112 ----a-w- c:\users\Don\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 14:17 . 2010-03-31 03:59 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-09 12:43 . 2010-03-31 03:59 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-04 19:24 . 2010-04-14 07:56 434176 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 00:14 . 2010-02-27 00:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-23 13:14 . 2010-04-14 07:56 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 13:14 . 2010-04-14 07:56 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 13:14 . 2010-04-14 07:56 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-01 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-16 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-03-01 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-05-07 2162688]
"RunUVC"="c:\program files\UVC Video Camera\RUNUVC.exe" [2008-04-30 7680]
"UVCSti"="c:\program files\UVC Video Camera\UVCSti.exe" [2008-08-01 245760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 OemBiosDevice;Royalty OEM BIOS Extension;c:\windows\system32\DRIVERS\royal.sys [2007-03-01 240128]
R3 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-06-14 17408]
R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\Drivers\cam3820a.sys [2008-08-01 239616]
R3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\DRIVERS\cmusbnet.sys [2007-06-21 87424]
R3 cmusbser;%CMUSBSER%;c:\windows\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]

.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{CE8E2186-348C-4D24-972D-53E3DA10290F}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3580)
c:\windows\system32\ieframe.dll
c:\windows\System32\SyncCenter.dll
.
Completion time: 2010-05-24 16:08:07
ComboFix-quarantined-files.txt 2010-05-24 06:08
ComboFix2.txt 2010-03-08 06:15

Pre-Run: 28,409,831,424 bytes free
Post-Run: 28,350,369,792 bytes free

- - End Of File - - 2F578014EA7AA205CDD282658707BD36


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 25 May 2010 - 01:40 AM

Hi,

Please navigate to c:\Qoobox and post back with the content of Combofix2.txt.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 19brendan81

19brendan81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 25 May 2010 - 04:06 AM

Here tis....

ComboFix 10-03-07.04 - Don 08/03/2010 16:58:11.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.61.1033.18.2037.1296 [GMT 11:00]
Running from: c:\users\Don\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\program files\Mozilla Firefox\components\npclntax.xpt
c:\program files\Mozilla Firefox\Plugins\npclntax_HotbarSA.dll
c:\program files\UVC Video Camera\RunEffect.exe
c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\programdata\HotbarSA
c:\programdata\HotbarSA\HotbarSA.dat
c:\programdata\HotbarSA\HotbarSA_kyf.dat
c:\programdata\HotbarSA\HotbarSAAbout.mht
c:\programdata\HotbarSA\HotbarSAau.dat
c:\programdata\HotbarSA\HotbarSAEULA.mht
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\About Hotbar.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Games!.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Uninstall Instructions.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Videos!.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Reset Cursor.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Weather.lnk
c:\users\Don\AppData\Local\Microsoft\CD Burning\AUTORUN.inF
c:\users\Don\AppData\Roaming\WeatherDPA
c:\windows\system32\spool\prtprocs\w32x86\000061c0.tmp
c:\windows\system32\twain_32.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RunEffect serivce


((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-02-27 01:42 . 2010-02-27 01:42 -------- d-----w- C:\PerfLogs
2010-02-27 00:21 . 2010-03-02 03:32 -------- d-----w- C:\be3f5619a39ba2f059aa2ce679e7bc
2010-02-27 00:14 . 2010-02-27 00:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-27 00:13 . 2008-01-02 05:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-21 07:15 . 2010-02-21 07:50 -------- d-----w- C:\$AVG
2010-02-21 07:14 . 2010-02-21 07:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-21 07:14 . 2010-02-21 07:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-21 07:14 . 2010-02-21 07:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-21 07:14 . 2010-03-07 22:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-21 07:14 . 2010-02-21 07:14 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-21 07:14 . 2010-02-21 07:14 -------- d-----w- c:\program files\AVG
2010-02-21 07:14 . 2010-02-21 07:14 -------- d-----w- c:\programdata\avg9
2010-02-18 06:33 . 2010-02-24 11:14 -------- d-----w- c:\users\Don\AppData\Roaming\Zipeg
2010-02-18 06:33 . 2010-02-18 06:33 -------- d-----w- c:\users\Don\AppData\Local\com.zipeg
2010-02-18 06:33 . 2010-02-18 06:33 -------- d-----w- c:\program files\Zipeg
2010-02-18 06:32 . 2010-02-18 06:32 -------- d-----w- c:\program files\Java
2010-02-18 06:32 . 2010-02-18 06:32 -------- d-----w- c:\program files\Common Files\Java
2010-02-12 08:18 . 2010-02-12 08:18 -------- d-----w- c:\program files\BeerSmith

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 06:07 . 2009-05-24 00:00 -------- d-----w- c:\users\Don\AppData\Roaming\Skype
2010-03-08 06:04 . 2009-06-21 01:42 -------- d-----w- c:\program files\UVC Video Camera
2010-03-08 05:30 . 2009-05-24 07:23 -------- d-----w- c:\users\Don\AppData\Roaming\skypePM
2010-03-02 03:31 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-03-02 03:31 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-02 03:31 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-24 07:11 . 2009-01-29 10:54 -------- d-----w- c:\users\Don\AppData\Roaming\FileZilla
2010-02-21 07:14 . 2010-02-23 09:41 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-02-21 07:14 . 2010-02-23 09:41 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-02-12 23:03 . 2008-03-01 12:53 -------- d-----w- c:\programdata\FLEXnet
2010-02-01 06:07 . 2010-02-01 06:04 -------- d-----w- c:\program files\Tony Foale Designs
2010-01-14 00:12 . 2009-10-03 05:18 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-28 12:36 . 2010-02-10 01:20 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 01:20 1327616 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:34 . 2010-02-10 01:20 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:34 . 2010-02-10 01:20 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:34 . 2010-02-10 01:20 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:34 . 2010-02-10 01:20 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:33 . 2010-02-10 01:20 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:32 . 2010-02-10 01:20 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:30 . 2010-02-10 01:20 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:30 . 2010-02-10 01:20 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-18 12:52 . 2010-01-22 06:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 06:47 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 06:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 06:47 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 06:47 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 06:47 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 06:47 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-12-11 12:15 . 2010-02-10 01:20 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:15 . 2010-02-10 01:20 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:54 . 2010-02-10 01:20 3502168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:54 . 2010-02-10 01:20 3467848 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 20:19 . 2010-02-10 01:20 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-12-08 17:58 . 2010-02-10 01:20 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:57 . 2010-02-10 01:20 22016 ----a-w- c:\windows\system32\netiougc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-01 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-03-01 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-05-07 2162688]
"RunUVC"="c:\program files\UVC Video Camera\RUNUVC.exe" [2008-04-30 7680]
"UVCSti"="c:\program files\UVC Video Camera\UVCSti.exe" [2008-08-01 245760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 OemBiosDevice;Royalty OEM BIOS Extension;c:\windows\system32\DRIVERS\royal.sys [2007-03-01 240128]
R3 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-06-14 17408]
R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\Drivers\cam3820a.sys [2008-08-01 239616]
R3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\DRIVERS\cmusbnet.sys [2007-06-21 87424]
R3 cmusbser;%CMUSBSER%;c:\windows\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-02-21 333192]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-02-21 360584]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-02-21 285392]

.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\User_Feed_Synchronization-{CE8E2186-348C-4D24-972D-53E3DA10290F}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sgtpepper.com.au/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Maniac Mansion Deluxe - c:\games\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 17:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x858A28C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82755d1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> atapi.sys @ 0x8076f99c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1540)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\xampp\mysql\bin\mysqld-nt.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\AVG\AVG9\avgupd.exe
.
**************************************************************************
.
Completion time: 2010-03-08 17:15:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 06:15

Pre-Run: 30,368,493,568 bytes free
Post-Run: 32,108,679,168 bytes free

- - End Of File - - A98A5C2BBA27DEA3E080FA428443D0F0

Brendan

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 26 May 2010 - 01:03 PM

Hi,

How is it running?

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 19brendan81

19brendan81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 26 May 2010 - 11:07 PM

Its still not producing the extra report, but here is the otl.txt

The computer hasnt had any symptoms of virus the whole time we have been doing this.

Brendan

OTL.txt

OTL logfile created on: 27/05/2010 1:51:24 PM - Run 5
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Don\Desktop
Windows Vista Ultimate Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 78.12 Gb Total Space | 20.58 Gb Free Space | 26.34% Space Free | Partition Type: NTFS
Drive D: | 154.76 Gb Total Space | 154.36 Gb Free Space | 99.74% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DON-PC
Current User Name: Don
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/27 13:48:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
PRC - [2010/03/10 00:18:07 | 000,301,568 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\ieuser.exe
PRC - [2008/10/29 16:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/04 23:45:16 | 005,779,456 | ---- | M] () -- c:\xampp\mysql\bin\mysqld-nt.exe
PRC - [2008/08/04 09:02:20 | 000,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/08/01 14:50:14 | 000,245,760 | ---- | M] (Alcor Micro Corp.) -- C:\Program Files\UVC Video Camera\UVCSti.exe
PRC - [2008/05/07 12:41:56 | 002,162,688 | ---- | M] (Telstra) -- C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
PRC - [2008/03/01 22:28:41 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/01/11 19:54:31 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/07/06 13:06:52 | 004,669,440 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2006/10/27 14:16:48 | 012,813,096 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/27 13:48:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
MOD - [2006/11/02 19:44:49 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2006/11/02 19:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/08/04 23:45:16 | 005,779,456 | ---- | M] () [Auto | Running] -- c:\xampp\mysql\bin\mysqld-nt.exe -- (mysql)
SRV - [2008/07/30 18:53:08 | 000,587,776 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- c:\xampp\FileZillaFTP\FileZillaServer.exe -- (FileZilla Server)
SRV - [2008/06/15 03:02:12 | 000,017,408 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- c:\xampp\apache\bin\apache.exe -- (Apache2.2)
SRV - [2008/03/02 02:13:08 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/03/01 22:28:41 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/20 15:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV - [2008/08/01 14:39:48 | 000,239,616 | ---- | M] (CamVendor) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cam3820a.sys -- (Cam3820)
DRV - [2008/03/01 21:28:19 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2008/01/02 15:48:28 | 002,016,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/08/03 12:44:58 | 000,091,648 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/07/18 21:32:40 | 001,841,312 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/07/13 16:25:22 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/06/22 08:54:32 | 000,087,424 | ---- | M] (Cmotech Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmusbnet.sys -- (cmusbnet) WAN Driver @ 3GPP (6280)
DRV - [2007/03/02 07:19:44 | 000,240,128 | ---- | M] (PARADOX) [Kernel | Boot | Stopped] -- C:\Windows\system32\DRIVERS\royal.sys -- (OemBiosDevice)
DRV - [2006/12/13 17:31:56 | 000,087,040 | ---- | M] (Cmotech Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cmusbser.sys -- (cmusbser)
DRV - [2006/11/02 19:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 19:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 19:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 19:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 19:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 19:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 19:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 19:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 19:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 19:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 19:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 19:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 19:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 19:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 19:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 19:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 19:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 19:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 19:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 19:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 19:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 19:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 19:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 19:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 19:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 19:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 19:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 19:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 19:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 19:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 19:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 19:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 19:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 19:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 18:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 18:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 18:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 18:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 18:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 18:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 17:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 17:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.sgtpepper.com.au/"
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


[2009/02/18 17:27:59 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Mozilla\Extensions
[2010/03/30 17:21:20 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions
[2009/08/22 18:12:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/19 17:49:46 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2009/08/27 20:32:48 | 000,000,000 | ---D | M] (Web Developer) -- C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\oe2dkob3.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/05/04 18:41:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/08 16:07:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (IE Developer Toolbar BHO) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BigPondWirelessBroadbandCM] C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe (Telstra)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [RunUVC] C:\Program Files\UVC Video Camera\RUNUVC.exe ()
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UVCSti] C:\Program Files\UVC Video Camera\UVCSti.exe (Alcor Micro Corp.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-au.cab (MSN Photo Upload Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.fujifilmimagine.com/imagine/ax/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Don\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Users\Don\Pictures\sick bobber.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/01 21:51:20 | 000,000,051 | -HS- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2006/11/02 21:18:47 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/05/27 13:48:31 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
[2010/05/25 18:37:58 | 000,000,000 | ---D | C] -- C:\Users\Don\Documents\Lathe Labels
[2010/05/24 16:08:08 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/24 16:07:40 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/24 16:00:23 | 000,000,000 | ---D | C] -- C:\schrauber
[2010/05/11 18:29:12 | 000,000,000 | ---D | C] -- C:\site (new)
[2010/05/03 21:07:28 | 000,000,000 | ---D | C] -- C:\site (backup)
[2010/04/21 21:05:24 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\lathe tools
[2010/04/17 10:58:10 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\DCIM
[2010/04/01 07:02:40 | 000,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\DivX
[2010/04/01 07:02:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2010/04/01 07:01:23 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/01 07:01:07 | 000,000,000 | ---D | C] -- C:\ProgramData\DivX
[2010/03/31 20:41:53 | 000,000,000 | ---D | C] -- C:\Users\Don\AppData\Roaming\Google
[2010/03/31 20:41:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2010/03/31 20:38:38 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/03/22 12:02:59 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/03/13 13:58:15 | 000,000,000 | ---D | C] -- C:\Users\Don\Desktop\101NIKON
[2010/03/08 15:56:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/08 15:56:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/03/08 15:56:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/03/08 15:56:12 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/03/08 15:56:05 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/03/08 15:52:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/27 11:42:33 | 000,000,000 | ---D | C] -- C:\PerfLogs
[2010/02/27 10:21:32 | 000,000,000 | ---D | C] -- C:\be3f5619a39ba2f059aa2ce679e7bc

========== Files - Modified Within 90 Days ==========

[2010/05/27 13:52:29 | 003,145,728 | -HS- | M] () -- C:\Users\Don\ntuser.dat
[2010/05/27 13:50:23 | 000,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{CE8E2186-348C-4D24-972D-53E3DA10290F}.job
[2010/05/27 13:48:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Don\Desktop\OTL.exe
[2010/05/27 13:46:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/27 13:46:45 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/27 13:46:45 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/25 19:44:27 | 000,720,952 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/25 19:44:27 | 000,625,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/25 19:44:27 | 000,108,966 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/25 19:37:53 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/25 19:37:46 | 2136,465,408 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/25 19:36:49 | 002,545,225 | -H-- | M] () -- C:\Users\Don\AppData\Local\IconCache.db
[2010/05/24 16:15:34 | 000,000,418 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/05/24 16:06:36 | 000,000,249 | ---- | M] () -- C:\Windows\system.ini
[2010/05/24 15:59:59 | 003,696,016 | R--- | M] () -- C:\Users\Don\Desktop\schrauber.exe
[2010/05/19 19:15:09 | 000,010,065 | ---- | M] () -- C:\Users\Don\Documents\My mills and drills.xlsx
[2010/05/16 19:24:35 | 000,293,376 | ---- | M] () -- C:\Users\Don\Desktop\10pcuy0w.exe
[2010/05/12 20:47:36 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/05/12 20:47:35 | 000,047,616 | ---- | M] () -- C:\Users\Don\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/12 12:36:49 | 001,298,141 | ---- | M] () -- C:\Users\Don\Desktop\sergeantpepper_com_au_zencart.sql
[2010/05/03 21:06:54 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2010/05/03 21:05:02 | 001,072,999 | ---- | M] () -- C:\Users\Don\Documents\Sergeant Pepper Statistics.docx
[2010/05/03 20:48:58 | 000,713,128 | ---- | M] () -- C:\Users\Don\Desktop\access_log
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/01 07:02:56 | 000,001,392 | ---- | M] () -- C:\Users\Don\Desktop\DivX Movies.lnk
[2010/03/31 21:03:17 | 000,043,789 | ---- | M] () -- C:\Users\Don\Documents\AutoSave_Greenhouse Plan.skp
[2010/03/31 20:58:14 | 000,043,789 | ---- | M] () -- C:\Users\Don\Documents\Greenhouse Plan.skp
[2010/03/31 20:39:02 | 000,001,902 | ---- | M] () -- C:\Users\Public\Desktop\Google SketchUp 7.lnk
[2010/03/10 02:20:28 | 000,102,112 | ---- | M] () -- C:\Users\Don\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/10 02:19:44 | 001,717,352 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/08 16:07:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/02/27 10:14:18 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat

========== Files Created - No Company Name ==========

[2010/05/24 16:15:34 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/05/24 15:59:52 | 003,696,016 | R--- | C] () -- C:\Users\Don\Desktop\schrauber.exe
[2010/05/19 19:15:08 | 000,010,065 | ---- | C] () -- C:\Users\Don\Documents\My mills and drills.xlsx
[2010/05/16 19:24:31 | 000,293,376 | ---- | C] () -- C:\Users\Don\Desktop\10pcuy0w.exe
[2010/05/12 12:36:44 | 001,298,141 | ---- | C] () -- C:\Users\Don\Desktop\sergeantpepper_com_au_zencart.sql
[2010/05/03 20:48:57 | 000,713,128 | ---- | C] () -- C:\Users\Don\Desktop\access_log
[2010/04/01 07:02:56 | 000,001,392 | ---- | C] () -- C:\Users\Don\Desktop\DivX Movies.lnk
[2010/04/01 06:49:33 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010/03/31 21:03:17 | 000,043,789 | ---- | C] () -- C:\Users\Don\Documents\AutoSave_Greenhouse Plan.skp
[2010/03/31 20:58:14 | 000,043,789 | ---- | C] () -- C:\Users\Don\Documents\Greenhouse Plan.skp
[2010/03/31 20:39:02 | 000,001,902 | ---- | C] () -- C:\Users\Public\Desktop\Google SketchUp 7.lnk
[2010/03/08 15:56:12 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/03/08 15:56:12 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/03/08 15:56:12 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/03/08 15:56:12 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/03/08 15:56:12 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/02/27 10:14:18 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/01/28 18:04:38 | 000,002,554 | ---- | C] () -- C:\Windows\WAVEMIX.INI
[2008/11/22 11:37:22 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2008/11/22 11:34:58 | 000,000,025 | ---- | C] () -- C:\Windows\CDE RX610Asia.ini
[2008/03/01 22:34:35 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/03/01 21:23:40 | 001,174,000 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/03/01 21:23:40 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1302.dll
[2008/03/01 21:23:40 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/03/01 21:19:46 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008/01/02 15:57:36 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/01/02 15:47:22 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/01/02 15:47:22 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2006/11/02 22:34:23 | 000,080,010 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2006/11/02 22:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 17:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/12/19 12:08:05 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\EPSON
[2010/05/14 23:05:46 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\FileZilla
[2008/12/08 19:45:38 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Notepad++
[2010/05/04 18:39:06 | 000,000,000 | ---D | M] -- C:\Users\Don\AppData\Roaming\Zipeg
[2010/05/25 19:36:51 | 000,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/05/27 13:50:23 | 000,000,414 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{CE8E2186-348C-4D24-972D-53E3DA10290F}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/11/02 19:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006/11/02 19:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 19:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2006/11/02 19:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2010/03/21 10:57:14 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\ERDNT\cache\atapi.sys
[2010/03/21 10:57:14 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\drivers\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/03/02 02:09:51 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 19:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 19:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 19:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 19:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\ERDNT\cache\netlogon.dll
[2006/11/02 19:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\System32\netlogon.dll
[2006/11/02 19:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 19:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 19:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

< MD5 for: SCECLI.DLL >
[2006/11/02 19:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\ERDNT\cache\scecli.dll
[2006/11/02 19:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\System32\scecli.dll
[2006/11/02 19:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/10 02:50:34 | 000,192,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\iepeers.dll
[2006/11/02 19:47:18 | 000,228,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/03/02 02:07:15 | 000,223,232 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 20:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 20:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 20:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 20:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 20:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemdrive%\*.sys /90 /md5 >
[2010/05/25 19:37:46 | 2136,465,408 | -HS- | M] () Unable to obtain MD5 -- C:\hiberfil.sys
[2010/05/25 19:37:44 | 2450,391,040 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys

< >
< End of report >


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 27 May 2010 - 10:27 AM

Hi,

Go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -t >log.txt&start log.txt

A log file opens. Please post the content to your reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 19brendan81

19brendan81
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 27 May 2010 - 09:56 PM

Got an error message:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users