Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot delete Rootkit Agent in system32!


  • This topic is locked This topic is locked
24 replies to this topic

#1 Rajplayer

Rajplayer

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 12 May 2010 - 08:38 AM

Hi,

I got infected with the dreaded Antimalware Doctor on May 4th 2010 mad.gif . I have noticed that quite a few others here have had a similar problem recently so I followed some of the instructions in previous threads by downloading MBAM and clearing out most of the junk Antimalware Doctor had installed on my machine. My computer is working much better now but I can't get rid of the Rootkit Agent called "iiuptanp.sys" MBAM found in my System32\drivers folder (C:\Windows\system32\Drivers\iiuptanp.sys).

Once MBAM finds it, it says it will delete on reboot but it doesn't. Trying to get rid of it in Safe Mode doesn't work either. Obviously, as I'm sure you already know, trying to manually delete it does nothing and you just get an error that states "Cannot read from the source file or disk".

Please Help! sad.gif

I am using Windows XP Professional Edition Version 2002 - Service Pack 3



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 AM

Posted 12 May 2010 - 03:30 PM

Hello, can you run a GMER scan please.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 13 May 2010 - 07:56 AM

Hi!!

Thanks a lot for your reply and I appreciate your help smile.gif

I will hook up my infected PC straight after work and run GMER on it as you suggested. I will paste the results in about 3 hours (hope that's OK?).

Once again, thanks a bunch for your help.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 AM

Posted 13 May 2010 - 09:30 AM

All's good, we volunteer here so whenever is OK smile.gif
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 14 May 2010 - 08:14 AM

Total DISASTER has struck sad.gif

I ran GMER and it eventually crashed showing the blue screen of death. Restarted my PC, unchecked Devices this time as requested and it ran VERY slowly until it crashed again. This time when I tried to restart my PC, it wouldn't boot up!!!

It just shows a blank screen. Tried restarting in safe mode, a few drivers load up and then the screen freezes. Tried booting from the CD using a windows disc and NOTHING. The OS will just not load up.

What's happened???



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 AM

Posted 14 May 2010 - 11:38 AM

Hello Rajplayer, lets see if we can get you booting again smile.gif I will move this topic to a more appropriate forum.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 14 May 2010 - 02:41 PM

Hello Elise,

Did what you asked and the contents of the OTL file are below. By the way, I couldn't help deleting that BLEEDING "iiuptanp.sys" rootkit file from system32 before I ran the scan. For some reason I was able to just click and delete the little bugger while I was in the REATOGO desktop. Hope you don't mind.

OTL Contents:

OTL logfile created on: 5/14/2010 9:08:53 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2800.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 462.40 Gb Total Space | 444.31 Gb Free Space | 96.09% Space Free | Partition Type: NTFS
Drive D: | 1011.61 Mb Total Space | 462.92 Mb Free Space | 45.76% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2009/12/01 06:13:12 | 000,345,352 | ---- | M] () [On_Demand] -- C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2009/09/04 16:14:34 | 001,304,528 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe -- (tmlisten)
SRV - [2009/09/04 16:12:28 | 001,389,864 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe -- (ntrtscan)
SRV - [2009/07/15 13:37:18 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand] -- C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/13 19:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/04/13 20:12:36 | 000,089,088 | --S- | M] () [Auto] -- C:\WINDOWS\System32\adsldpcm.exe -- (winmgmtMessenger)
SRV - [2008/03/08 15:43:56 | 000,524,288 | ---- | M] (MailEnable Pty Ltd) [Auto] -- C:\Program Files\Mail Enable\Bin\MESMTPC.exe -- (MESMTPCS)
SRV - [2008/03/08 14:47:44 | 000,499,712 | ---- | M] (MailEnable Pty Ltd) [Auto] -- C:\Program Files\Mail Enable\Bin\MEPOC.exe -- (MEPOCS)
SRV - [2008/03/05 08:43:48 | 000,233,472 | ---- | M] (MailEnable Pty Ltd) [Auto] -- C:\Program Files\Mail Enable\Bin\MEPOPS.exe -- (MEPOPS)
SRV - [2008/02/06 07:20:26 | 000,229,376 | ---- | M] (MailEnable Pty Ltd) [Auto] -- C:\Program Files\Mail Enable\Bin\MELSC.exe -- (MELCS)
SRV - [2008/02/06 07:20:22 | 000,208,896 | ---- | M] (MailEnable Pty Ltd) [Auto] -- C:\Program Files\Mail Enable\Bin\MEMTA.exe -- (MEMTAS)
SRV - [2007/10/25 10:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 06:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/07/28 21:12:42 | 000,243,352 | ---- | M] () [On_Demand] -- C:\oracle\ora92\BIN\ONRSD.EXE -- (OracleOraHome92ClientCache)
SRV - [2005/09/06 07:53:16 | 000,053,520 | ---- | M] (Oracle Corporation) [Auto] -- C:\oracle\ora92\bin\omtsreco.exe -- (OracleMTSRecoveryService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Adapter | Unavailable] -- -- (PnSson)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | Boot] -- -- (iiuptanp)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/02/26 13:41:18 | 000,059,408 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/02/26 13:41:16 | 000,051,216 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/02/26 13:41:12 | 000,163,344 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/12/04 11:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\Program Files\Trend Micro\OfficeScan Client\TmXpflt.sys -- (TmFilter)
DRV - [2009/12/04 11:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\Program Files\Trend Micro\OfficeScan Client\TmPreflt.sys -- (TmPreFilter)
DRV - [2009/12/04 11:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\Program Files\Trend Micro\OfficeScan Client\vsapiNT.sys -- (VSApiNt)
DRV - [2009/07/15 13:37:40 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2008/10/31 17:23:11 | 000,033,408 | ---- | M] (F5 Networks, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\covpndrv.sys -- (urvpndrv)
DRV - [2008/10/31 17:22:36 | 000,010,752 | ---- | M] (F5 Networks) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\urfltw2k.sys -- (f5ipfw)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/12 17:35:02 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iaStor)
DRV - [2007/06/26 21:58:16 | 002,303,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/06/26 09:06:20 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/06/13 15:41:44 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/06/13 14:21:16 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/08/18 08:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 08:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 08:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 08:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 08:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 08:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 08:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 08:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 06:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 05:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 05:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 06:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2004/08/04 06:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 06:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 06:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 06:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 06:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 06:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 06:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 06:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 06:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 06:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 06:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 06:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 06:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 06:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 06:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 17:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/hws/sb/dell-usuk/e...?channel=uk-smb
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/e...?channel=uk-smb
IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.navita.com/
IE - HKU\Administrator.AESLEDB_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\Administrator.AESLEDB_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/e...?channel=uk-smb
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/e...?channel=uk-smb
IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.navita.com/
IE - HKU\gordon_mclachlan.AESLEDB_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Gordon_McLachlan_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\Gordon_McLachlan_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/e...?channel=uk-smb
IE - HKU\Gordon_McLachlan_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\Gordon_McLachlan_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\Gordon_McLachlan_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\Gordon_McLachlan_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?fr=fp-yie8
IE - HKU\surinder_singh.AESLEDB_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\surinder_singh.AESLEDB_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\surinder_singh_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\surinder_singh_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
IE - HKU\surinder_singh_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/hws/sb/dell-usuk/e...?channel=uk-smb
IE - HKU\surinder_singh_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\surinder_singh_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\surinder_singh_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080424
IE - HKU\surinder_singh_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/05 06:26:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/14 05:16:44 | 000,000,000 | ---D | M]

[2008/08/18 11:37:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.AESLEDB\Application Data\Mozilla\Firefox\Profiles\i78xnz4b.default\extensions
[2010/05/13 06:34:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/17 05:45:00 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/03/17 05:45:00 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/03/17 05:45:00 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/03/17 05:45:00 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/05/08 09:35:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [nonep] C:\WINDOWS\Temp\4B.tmp ()
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\Administrator.AESLEDB_ON_C..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\Administrator.AESLEDB_ON_C..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\gordon_mclachlan.AESLEDB_ON_C..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\Gordon_McLachlan_ON_C..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\surinder_singh.AESLEDB_ON_C..\Run: [bootvrfy.exe] C:\DOCUME~1\SURIND~1.AES\LOCALS~1\Temp\bootvrfy.exe File not found
O4 - HKU\surinder_singh.AESLEDB_ON_C..\Run: [COMMUNICATOR] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
O4 - HKU\surinder_singh_ON_C..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.AESLEDB_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\gordon_mclachlan.AESLEDB_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Gordon_McLachlan_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\surinder_singh.AESLEDB_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\surinder_singh_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} https://nw-fp-001.asplogon.com/vdesk/termin...,2008,1031,2121 (F5 Networks VPN Manager)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://nw-fp-001.asplogon.com/vdesk/termin...,2008,1112,2313 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} http://172.31.137.150/projectserver/objects/pjclient.cab (PjAdoInfo3 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} http://nvproject/Projectserver/objects/1033/pjcintl.cab (Pj11enuC Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} https://nw-fp-001.asplogon.com/vdesk/termin...,2008,1031,2112 (F5 Networks SuperHost Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://nw-fp-001.asplogon.com/vdesk/termin...,2008,1031,2108 (F5 Networks Host Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aesl.co.uk
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\NetworkService\Application Data\sdra64.exe) - C:\Documents and Settings\NetworkService\Application Data\sdra64.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 12:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/14 10:43:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\dell
[2010/05/13 09:00:23 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/05/13 08:56:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/13 07:19:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\POMAX SM Installation Guides
[2010/05/13 04:22:07 | 000,000,000 | ---D | C] -- C:\New SM Modules
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/05/11 05:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/05/06 09:04:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\TeamViewer
[2010/05/05 13:52:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/05 11:11:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/05 11:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 11:11:21 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IETldCache
[2010/05/05 11:02:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\Malwarebytes
[2010/05/05 09:52:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/05/05 09:52:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/05 09:52:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/05 09:52:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/05 09:51:37 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe
[2010/05/05 06:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/05/05 06:26:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/05/05 05:10:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/05/04 13:07:14 | 000,000,000 | -HSD | C] -- C:\found.000
[2010/05/04 09:51:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\surinder singh.AESLEDB\Local Settings\Application Data\ficycixgp
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\surinder singh.AESLEDB\Desktop\*.tmp files -> C:\Documents and Settings\surinder singh.AESLEDB\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/14 11:41:54 | 000,000,210 | RHS- | M] () -- C:\boot.ini
[2010/05/14 11:40:54 | 000,000,345 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/05/14 11:40:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/13 14:43:33 | 000,456,694 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/13 14:43:33 | 000,076,262 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/13 14:43:30 | 000,542,904 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/13 14:32:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/13 14:31:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/13 14:31:42 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/13 13:55:15 | 000,000,057 | ---- | M] () -- C:\WINDOWS\webica.ini
[2010/05/13 13:53:29 | 000,581,632 | ---- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\8152 - Test Specification - SM 9.1.3 Release.doc
[2010/05/13 09:00:25 | 000,000,100 | --S- | M] () -- C:\WINDOWS\System32\3797808071.dat
[2010/05/13 08:56:18 | 000,000,008 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\ofubwi.dat
[2010/05/13 08:44:33 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/05/13 08:44:33 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/05/13 08:44:14 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\NTUSER.DAT
[2010/05/13 08:44:10 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\ntuser.ini
[2010/05/13 08:43:50 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2010/05/13 08:43:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2010/05/13 07:28:09 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\jmlhei34.exe
[2010/05/12 13:31:45 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2010/05/12 13:31:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2010/05/12 13:23:48 | 000,027,261 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2010/05/12 06:10:07 | 000,061,621 | ---- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\Testing Plan - ECTRM Version 9.1.3.xlsx
[2010/05/11 11:16:09 | 004,318,378 | -H-- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\Local Settings\Application Data\IconCache.db
[2010/05/11 11:16:07 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2010/05/11 11:16:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2010/05/11 10:58:03 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2010/05/11 10:58:03 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2010/05/11 09:23:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2010/05/11 09:23:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2010/05/11 07:19:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2010/05/11 07:19:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2010/05/11 04:10:15 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2010/05/07 12:07:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2010/05/07 12:07:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2010/05/07 05:17:47 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2010/05/07 05:17:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2010/05/06 12:38:12 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2010/05/06 12:38:12 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2010/05/06 12:34:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2010/05/06 12:34:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2010/05/06 12:34:00 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/06 12:34:00 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/06 10:20:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2010/05/06 10:20:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/05/06 05:33:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2010/05/06 05:33:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2010/05/05 13:17:14 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2010/05/05 13:17:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2010/05/05 10:58:16 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/05 10:58:16 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/05 09:51:46 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup-1.46.exe
[2010/05/05 06:15:04 | 000,000,147 | ---- | M] () -- C:\WINDOWS\System32\PRAGMAsrcr.dat
[2010/05/04 10:11:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2010/05/04 10:11:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2010/05/04 09:51:28 | 000,057,344 | ---- | M] () -- C:\WINDOWS\System32\pragmaserf.dll
[2010/05/04 09:51:28 | 000,057,344 | ---- | M] () -- C:\WINDOWS\System32\pragmabbr.dll
[2010/04/30 12:20:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2010/04/30 12:20:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2010/04/29 12:39:26 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2010/04/29 12:39:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2010/04/29 10:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 10:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/23 12:03:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2010/04/23 12:03:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2010/04/16 12:20:50 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2010/04/16 12:20:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2010/04/15 09:07:11 | 000,084,762 | ---- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\Option Trade Error.JPG
[2010/04/15 05:49:08 | 000,012,120 | ---- | M] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\Latest 9.1.1 Issues List.xlsx
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\surinder singh.AESLEDB\Desktop\*.tmp files -> C:\Documents and Settings\surinder singh.AESLEDB\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/13 11:17:38 | 000,581,632 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\8152 - Test Specification - SM 9.1.3 Release.doc
[2010/05/13 08:56:23 | 000,000,100 | --S- | C] () -- C:\WINDOWS\System32\3797808071.dat
[2010/05/13 08:56:18 | 000,000,008 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\Application Data\ofubwi.dat
[2010/05/13 07:28:37 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\jmlhei34.exe
[2010/05/12 06:00:42 | 000,061,621 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\Testing Plan - ECTRM Version 9.1.3.xlsx
[2010/05/11 07:27:21 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/04 09:51:28 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\pragmaserf.dll
[2010/05/04 09:51:28 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\pragmabbr.dll
[2010/05/04 09:51:27 | 000,000,147 | ---- | C] () -- C:\WINDOWS\System32\PRAGMAsrcr.dat
[2010/04/15 09:07:11 | 000,084,762 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\Desktop\Option Trade Error.JPG
[2010/02/17 10:00:32 | 000,027,261 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2009/08/19 06:35:39 | 000,001,490 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\sqlnet.log
[2009/08/03 10:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/18 03:56:24 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\presets.ini
[2009/02/24 12:49:10 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\wklnhst.dat
[2008/11/18 06:42:15 | 000,000,057 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/10/20 07:51:06 | 000,000,518 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\java0.log
[2008/10/13 04:49:58 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/29 11:49:59 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2008/09/04 05:10:16 | 006,815,744 | -H-- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\NTUSER.DAT
[2008/09/04 05:10:16 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\ntuser.dat.LOG
[2008/09/04 05:10:16 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\surinder singh.AESLEDB\ntuser.ini
[2008/08/20 04:50:49 | 000,000,162 | ---- | C] () -- C:\Documents and Settings\surinder singh\Application Data\wklnhst.dat
[2008/08/19 04:22:03 | 002,359,296 | -H-- | C] () -- C:\Documents and Settings\surinder singh\NTUSER.DAT
[2008/08/19 04:22:03 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\surinder singh\ntuser.dat.LOG
[2008/08/19 04:22:03 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\surinder singh\ntuser.ini
[2008/06/03 06:34:02 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/05/30 12:20:08 | 001,572,864 | -H-- | C] () -- C:\Documents and Settings\gordon mclachlan.AESLEDB\NTUSER.DAT
[2008/05/30 12:20:08 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\gordon mclachlan.AESLEDB\ntuser.dat.LOG
[2008/05/30 12:20:08 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\gordon mclachlan.AESLEDB\ntuser.ini
[2008/05/30 12:06:33 | 000,001,417 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/05 11:43:19 | 001,572,864 | -H-- | C] () -- C:\Documents and Settings\Administrator.AESLEDB\NTUSER.DAT
[2008/05/05 11:43:19 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Administrator.AESLEDB\ntuser.dat.LOG
[2008/05/05 11:43:19 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Administrator.AESLEDB\ntuser.ini
[2008/05/05 10:37:48 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Gordon McLachlan\NTUSER.DAT
[2008/05/05 10:37:48 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Gordon McLachlan\ntuser.dat.LOG
[2008/05/05 10:37:48 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Gordon McLachlan\ntuser.ini
[2008/04/23 21:24:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/04/23 21:16:34 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/04/23 21:16:34 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/23 20:57:36 | 000,262,144 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
[2008/04/23 20:57:36 | 000,008,192 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
[2008/04/23 20:54:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/04/23 20:53:22 | 000,001,207 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/11/06 23:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 18:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 18:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/08/12 01:20:24 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2004/08/12 01:20:15 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2004/08/12 01:20:15 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2004/08/11 12:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 12:20:25 | 000,069,632 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2004/08/11 12:20:25 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2004/08/11 12:20:16 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2004/08/11 12:20:15 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2004/08/11 12:20:15 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2004/08/11 12:20:15 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2004/08/11 12:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 12:00:25 | 000,144,384 | R--- | C] () -- C:\Documents and Settings\NetworkService\Application Data\sdra64.exe
[2004/08/04 06:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 06:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003/07/29 00:07:00 | 000,000,218 | ---- | C] () -- C:\WINDOWS\ORAODBC.INI

========== LOP Check ==========

[2008/06/03 05:29:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gordon mclachlan.AESLEDB\Application Data\Notepad++
[2009/12/03 07:16:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\ICAClient
[2008/09/04 05:20:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\Notepad++
[2010/05/06 09:04:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\TeamViewer
[2009/02/24 12:49:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\Template
[2009/02/24 05:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh.AESLEDB\Application Data\Windows Search
[2008/08/25 05:07:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh\Application Data\Notepad++
[2008/08/20 04:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\surinder singh\Application Data\Template

========== Purity Check ==========


< End of report >



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 AM

Posted 14 May 2010 - 02:54 PM

Hi again,

In this case its not terribly important you deleted that file, but please consider the consequences: you now have this left.
QUOTE
DRV - File not found [Kernel | Boot] -- -- (iiuptanp)
This is a driver set to run on system boot, pointing to the file you just deleted. Orphaned boot drivers can cause big trouble.

Since you were having trouble anyway, its not a big problem, but please keep in mind that in a PE you can delete each and every file you want, even these that are absolutely necessary for windows to run. Windows has its own protection in place when running, that prevents you from deleting system files, but a PE like Reatogo-X-PE doesn't have such limitations. This is an advantage in malware removal, but can also have disastrous consequences if you don't know what you are doing.

Please rerun OTLPE, and copy/paste the text in the codebox below into the "run scan/fix" field. Click Run Fix.
CODE
:otl
DRV - File not found [Kernel | Boot] -- -- (iiuptanp)


When done, let me know if you can boot. If you are able to do so, please do NOT run anything else, instead post back here; I see some evidence of another nasty rootkit but we need to have your computer booting to confirm and clean that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 14 May 2010 - 03:15 PM

This is exactly why we are the noobs, and you guys are the experts. From here on in I will do EXACTLY what you tell me smile.gif

Also, thank you so much for working on this on a Friday night! The problem is with my work PC which why I HAVE to work on this problem in order to be functioning again come Monday. But I really appreciate that you're here to help me. You are my here smile.gif

Waiting for the scan to finish. Results coming in a few minutes..................


#10 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 14 May 2010 - 03:27 PM

Done and done (see result below). By the way, in the previous reply I meant "You are my HERO" thumbup2.gif

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iiuptanp deleted successfully.

OTLPE by OldTimer - Version 3.1.39.0 log created on 05142010_232134


I can also confirm that I am now able to reboot. YAY!!!! thumbup.gif

What's next Elise?



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 AM

Posted 15 May 2010 - 02:11 AM

Hi, good to see you are booting again smile.gif

Since I saw some evidence of another rootkit, I want to check for that first.

Download and run PragmaFix

Follow the prompts in the command window and post the log that pops up when done.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 17 May 2010 - 04:06 AM

Hi Elise,

Ran Pragmafix and below is the result:


17/05/2010 10:59:46.89

No embedded null keys found


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 AM

Posted 17 May 2010 - 05:04 AM

Okay, thats good news smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Rajplayer

Rajplayer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 18 May 2010 - 02:33 PM

Hello Elise,

Please excuse the late reply. Just got completely snowed under at work.

Anyways, I did what you asked and attached is the Combofix log file. Unfortunately, there is no way for me to disable our AV. We use Trendmicro Office Scan and there doesn't seem to be a surefire way to disable it temprarily. I killed it from the Task Manager, but the real time scanner is always running. ANd when Combofix reboots the computer, Trend starts up again.

Still, I hope there is enough in the log (attached) that will give you a clue as to what malware is on my system.

I await your reply thumbup2.gif


Attached Files



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 AM

Posted 19 May 2010 - 01:27 AM

Hello,
That looks good, a few things that need removed with a script though.
When done, please let me know how things are running now.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users