Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit Phoenix Exploit Kit


  • This topic is locked This topic is locked
77 replies to this topic

#31 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 18 August 2010 - 01:00 PM

OK, here it is. Thanks.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8CC4000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5763072 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA83ED000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4550656 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF1F2000 C:\WINDOWS\System32\igxpdx32.DLL 2732032 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04E000 C:\WINDOWS\System32\igxpdv32.DLL 1720320 bytes (Intel Corporation, Component GHAL Driver)
0xB8ACD000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xA8098000 C:\WINDOWS\system32\DRIVERS\mosuport.sys 901120 bytes (-, USB Compound device driver)
0xB9E6A000 iaStor.sys 815104 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xB8A26000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9D94000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA81A8000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB898C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA8315000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA7736000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8C6F000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xA78A5000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA82B3000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xA8174000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB8BEF000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA7BF3000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D67000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA62C2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA8218000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 172032 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB8C23000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA8265000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA828D000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA638D000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA83C9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8C4B000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8BCC000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA8243000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E4A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D4D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8058000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9E21000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8A0F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA79FE000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB89EA000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB8CB0000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA836E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9E38000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB89FE000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB92A3000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA278000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA188000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA7D40000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA268000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA198000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA2E8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA238000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA218000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA6481000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA158000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA664B000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA408000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA488000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA400000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA470000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA380000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xBA418000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA440000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA448000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA478000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA438000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xBA480000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA428000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA430000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA340000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA66F7000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xA74C8000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB94BA000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xB9D09000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA7FAC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA83A5000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA76F6000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA590000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA7899000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xA75FE000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D15000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA598000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB94B2000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBA626000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xBA61E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5B4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA61C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA620000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA622000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5F8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5FE000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5A8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8A654000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA787000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6B7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA68A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A341999 ?_empty_? 1639 bytes
==============================================
>Stealth
==============================================
0xB9F31000 WARNING: suspicious driver modification [atapi.sys::0x8A341999]
0x043B0000 Hidden Image-->Tanagra.DataClad.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 1077248 bytes
0x059E0000 Hidden Image-->Tanagra.BMU.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 1413120 bytes
0x045C0000 Hidden Image-->SupportSoft.Agent.Sprocket.dll [ EPROCESS 0x89AD5800 ] PID: 2724, 28672 bytes
0x05E70000 Hidden Image-->Tanagra.Third-party.Security.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 28672 bytes
0x04F30000 Hidden Image-->System.Data.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 2961408 bytes
0x04720000 Hidden Image-->Tanagra.DataClad.DataAccess.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 299008 bytes
0x01020000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8A51EBC0 ] PID: 2212, 307200 bytes
0x05380000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 307200 bytes
0x00D20000 Hidden Image-->MemeoRemoteCore.dll [ EPROCESS 0x8A51EBC0 ] PID: 2212, 36864 bytes
0x018A0000 Hidden Image-->XMLSettings.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 36864 bytes
0x03F90000 Hidden Image-->SupportSoft.Agent.Sprocket.SupportMessage.dll [ EPROCESS 0x89AD5800 ] PID: 2724, 45056 bytes
0x05400000 Hidden Image-->Tanagra.Interop.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 61440 bytes
0x01850000 Hidden Image-->Memeo.API.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 69632 bytes
0x05DE0000 Hidden Image-->Tanagra.BMU.Providers.HardDiskBackupProvider.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 69632 bytes
0x031E0000 Hidden Image-->sprtmessage.dll [ EPROCESS 0x89AD5800 ] PID: 2724, 77824 bytes
0x05E20000 Hidden Image-->Tanagra.BMU.Providers.FileCopyBackupProvider.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 77824 bytes
0x05B60000 Hidden Image-->SQLite.NET.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 77824 bytes
0x04B50000 Hidden Image-->Tanagra.Utility.dll [ EPROCESS 0x89BD1DA0 ] PID: 3576, 913408 bytes


BC AdBot (Login to Remove)

 


#32 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 18 August 2010 - 02:04 PM

That looks definitely like a new rootkit variant.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#33 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 18 August 2010 - 06:11 PM

Seems like we're going in circles with this thing. smile.gif We've run MBR before. Here's the log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0x89CD2000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xB9E6A000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E4A000 fltmgr.sys
0xB9E38000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9E21000 KSecDD.sys
0xB9D94000 Ntfs.sys
0xB9D67000 NDIS.sys
0xB9D4D000 Mup.sys
0xBA168000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8EB0000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8E9C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8E5B000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8E37000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8E0F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8DDB000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB8DB8000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8CB9000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB8C12000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA410000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA178000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA188000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA198000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA420000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA704000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D15000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8BFB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA428000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8BEA000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA430000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA438000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA440000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB8BD6000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA448000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA450000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5EC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8B78000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D09000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA208000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9508000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xBA238000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5F0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8477000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA8453000 \SystemRoot\system32\drivers\portcls.sys
0xBA248000 \SystemRoot\system32\drivers\drmk.sys
0xBA580000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5F4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7A4000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5F6000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA460000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA468000 \SystemRoot\System32\drivers\vga.sys
0xBA5F8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA470000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA478000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA588000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA83F8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA839F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA833D000 \SystemRoot\System32\Drivers\avgtdix.sys
0xA8317000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA82EF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA5A4000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA82CD000 \SystemRoot\System32\drivers\afd.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA82A2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8232000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA480000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA81FE000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA488000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA8122000 \SystemRoot\system32\DRIVERS\mosuport.sys
0xBA158000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA80E2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5BC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA842F000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3C8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA75E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1F2000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7FBE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7C7D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA620000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA7A88000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7D0A000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7909000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7A80000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7862000 \SystemRoot\system32\DRIVERS\srv.sys
0xA6188000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA63AB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA657F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA7B61000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA5DFC000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 77):
0 System Idle Process
4 System
624 C:\WINDOWS\system32\smss.exe
672 csrss.exe
696 C:\WINDOWS\system32\winlogon.exe
744 C:\WINDOWS\system32\services.exe
756 C:\WINDOWS\system32\lsass.exe
920 C:\WINDOWS\system32\svchost.exe
972 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1116 svchost.exe
1156 svchost.exe
1236 C:\Program Files\AVG\AVG9\avgchsvx.exe
1248 C:\Program Files\AVG\AVG9\avgrsx.exe
1300 C:\WINDOWS\system32\spoolsv.exe
1472 svchost.exe
1500 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1532 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
1784 C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
1860 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1880 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1908 C:\Program Files\Bonjour\mDNSResponder.exe
416 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
472 C:\WINDOWS\explorer.exe
528 C:\WINDOWS\system32\svchost.exe
884 wdfmgr.exe
1716 C:\Program Files\AVG\AVG9\avgnsx.exe
1976 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2076 C:\WINDOWS\wanmpsvc.exe
2172 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
2224 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
2312 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2360 C:\WINDOWS\system32\wuauclt.exe
2392 C:\Program Files\AVG\AVG9\avgemc.exe
2452 C:\Program Files\Canon\CAL\CALMAIN.exe
2524 C:\WINDOWS\system32\igfxtray.exe
2540 C:\WINDOWS\system32\hkcmd.exe
2568 C:\WINDOWS\system32\igfxpers.exe
2604 C:\WINDOWS\RTHDCPL.EXE
2616 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
2644 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2692 C:\WINDOWS\system32\igfxsrvc.exe
2752 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
2764 C:\Program Files\Real\RealPlayer\realplay.exe
2788 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
2796 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2860 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
2880 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
2896 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2928 C:\Program Files\Common Files\AOL\1225072980\ee\aolsoftware.exe
2952 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
3056 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
3088 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
3348 C:\PROGRA~1\AVG\AVG9\avgtray.exe
3360 C:\Program Files\QuickTime\QTTask.exe
3376 C:\Program Files\iTunes\iTunesHelper.exe
3408 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3476 C:\Program Files\AWS\WeatherBug\Weather.exe
3500 C:\Program Files\Skype\Phone\Skype.exe
3540 C:\WINDOWS\system32\ctfmon.exe
3576 C:\Program Files\America Online 9.0\aoltray.exe
3596 C:\Program Files\Digital Line Detect\DLG.exe
3628 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
3640 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
3648 C:\WinZip\WZQKPICK.EXE
3656 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
2996 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
748 alg.exe
3584 wmiprvse.exe
4132 C:\Program Files\iPod\bin\iPodService.exe
4264 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
2268 C:\Program Files\Internet Explorer\iexplore.exe
4424 C:\Program Files\Skype\Plugin Manager\skypePM.exe
4968 C:\Program Files\Yahoo!\Companion\Installs\cpn1\ytbb.exe
200 C:\Program Files\AVG\AVG9\avgupd.exe
2588 C:\Documents and Settings\Jan\Desktop\MBRCheck.exe
4928 wmiprvse.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-75VYA0, Rev: 12.01B02

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: D13DDF8A51F8C99D562C7C0018E2F8FDA7D48E07


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#34 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 19 August 2010 - 03:11 AM

Sorry, thats my fault, I must have overlooked that somehow. ohmy.gif
  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer (if you don't have an XP CD, let me know and I'll post additional instructions).

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Type fixmbr and press enter. Confirm when asked.

When done, type EXIT, and press enter.

After windows starts, please rerun MBRcheck and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#35 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 19 August 2010 - 11:26 AM

Elise,

I have the XP system CD, so that's not a problem. At some point we disabled CD Emulation, and it's still disabled, as far as I know. Does that have anything to do with reading from the drive? I haven't tried using the drive. I'll do this as soon as I get a break.

FYI...after running the MBR program yesterday I ran an AVG scan. It found several trojans in a subfolder of the system volume information folder. It put them in the vault.

#36 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 19 August 2010 - 11:54 AM

No, CD emulation has nothing to do with your CD drive. It means all virtual CD drives are disabled.

Please run the fixmbr command as instructed and after that post me a new MBRcheck log. There is no sense in running AVG or any other tool now, since you have an active rootkit.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#37 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 19 August 2010 - 03:30 PM

OK, Elise, I ran the fixmbr, rebooted and ran MBRCheck. Here's the log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xB9E6A000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E4A000 fltmgr.sys
0xB9E38000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9E21000 KSecDD.sys
0xB9D94000 Ntfs.sys
0xB9D67000 NDIS.sys
0xB9D4D000 Mup.sys
0xB9426000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8E77000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8E63000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8E22000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA408000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8DFE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA410000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8DD6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8DA2000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB8D7F000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8C80000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB8BD9000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA418000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB9416000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9406000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB93F6000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA428000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA78E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA128000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8BC2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA138000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA148000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA430000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8BB1000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA158000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA438000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA440000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA448000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB8B9D000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA168000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA450000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA458000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5CC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8B3F000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D25000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA188000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9D09000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5D0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA843E000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA841A000 \SystemRoot\system32\drivers\portcls.sys
0xBA1C8000 \SystemRoot\system32\drivers\drmk.sys
0xBA564000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA5D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA688000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA468000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA470000 \SystemRoot\System32\drivers\vga.sys
0xBA5D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA478000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA480000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA56C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA83BF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8366000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA8304000 \SystemRoot\System32\Drivers\avgtdix.sys
0xA7FEC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA7FC4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA58C000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA7FA2000 \SystemRoot\System32\drivers\afd.sys
0xBA208000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA7F77000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA7F07000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA228000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA488000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xA7ED3000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA490000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA7DF7000 \SystemRoot\system32\DRIVERS\mosuport.sys
0xBA248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7DB7000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5DE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA840E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA4A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA794000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1F2000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7CBF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA78DA000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA789D000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7B07000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA620000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA74EA000 \SystemRoot\System32\Drivers\HTTP.sys
0xA762B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7443000 \SystemRoot\system32\DRIVERS\srv.sys
0xA6A04000
0xA6904000
0xA694C000
0xA6948000
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 76):
0 System Idle Process
4 System
624 C:\WINDOWS\system32\smss.exe
672 csrss.exe
696 C:\WINDOWS\system32\winlogon.exe
740 C:\WINDOWS\system32\services.exe
752 C:\WINDOWS\system32\lsass.exe
912 C:\WINDOWS\system32\svchost.exe
964 svchost.exe
1004 C:\WINDOWS\system32\svchost.exe
1088 svchost.exe
1120 svchost.exe
1200 C:\Program Files\AVG\AVG9\avgchsvx.exe
1208 C:\Program Files\AVG\AVG9\avgrsx.exe
1360 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1368 C:\WINDOWS\system32\spoolsv.exe
1632 svchost.exe
1824 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
1864 C:\WINDOWS\explorer.exe
1920 C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
2016 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2044 C:\Program Files\AVG\AVG9\avgwdsvc.exe
136 C:\Program Files\Bonjour\mDNSResponder.exe
436 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
560 C:\WINDOWS\system32\svchost.exe
1028 wdfmgr.exe
1068 C:\Program Files\Viewpoint\Common\ViewpointService.exe
1220 C:\WINDOWS\wanmpsvc.exe
1404 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
1716 C:\Program Files\AVG\AVG9\avgnsx.exe
1720 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
2108 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2136 C:\Program Files\AVG\AVG9\avgemc.exe
2244 C:\Program Files\Canon\CAL\CALMAIN.exe
2272 C:\WINDOWS\system32\wuauclt.exe
2332 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2600 C:\WINDOWS\system32\igfxtray.exe
2608 C:\WINDOWS\system32\hkcmd.exe
2616 C:\WINDOWS\system32\igfxpers.exe
2628 C:\WINDOWS\RTHDCPL.EXE
2684 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
2692 C:\WINDOWS\system32\igfxsrvc.exe
2708 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2768 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
2776 C:\Program Files\Real\RealPlayer\realplay.exe
2800 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
2848 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
2856 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
2872 C:\Program Files\Common Files\AOL\1225072980\ee\aolsoftware.exe
2884 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2916 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
2928 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
2936 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
3044 C:\PROGRA~1\AVG\AVG9\avgtray.exe
3076 C:\Program Files\QuickTime\QTTask.exe
3108 C:\Program Files\iTunes\iTunesHelper.exe
3188 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3228 C:\Program Files\Yahoo!\Search Protection\YspService.exe
3248 C:\Program Files\AWS\WeatherBug\Weather.exe
3256 C:\Program Files\Skype\Phone\Skype.exe
3288 C:\WINDOWS\system32\ctfmon.exe
3480 C:\Program Files\Dell Support Center\gs_agent\dsc.exe
3516 C:\Program Files\America Online 9.0\aoltray.exe
3604 C:\Program Files\Digital Line Detect\DLG.exe
3620 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
3724 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
3760 alg.exe
3796 C:\WinZip\WZQKPICK.EXE
4084 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
504 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
248 wmiprvse.exe
3192 C:\Program Files\iPod\bin\iPodService.exe
2368 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrodist.exe
3852 C:\Documents and Settings\Jan\Desktop\MBRCheck.exe
3980 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
2512 C:\Program Files\Skype\Plugin Manager\skypePM.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-75VYA0, Rev: 12.01B02

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#38 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 19 August 2010 - 04:05 PM

Well done! That took care of the rootkit. Please let me know how things are running now and post also a new OTL log for my review.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#39 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 19 August 2010 - 07:39 PM

YAY! High five! thumbup.gif

I haven't used the PC much because of the problems. I'll start using it again and let you know how it's going. So far it looks OK.

I couldn't find an extras file after running OTL, but here's the other log:

OTL logfile created on: 8/19/2010 7:11:08 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Jan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 18.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 59.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 294.73 Gb Total Space | 258.67 Gb Free Space | 87.76% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE
Current User Name: Jan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/08 14:40:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan\Desktop\OTL.exe
PRC - [2010/08/01 13:54:54 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2010/07/21 14:05:44 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/18 12:20:43 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/18 12:20:40 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/18 12:20:39 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/18 12:20:37 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/18 12:20:33 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/18 12:20:31 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/31 22:34:36 | 000,243,000 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Search Protection\YspService.exe
PRC - [2010/01/21 16:27:44 | 009,136,960 | ---- | M] (Western Digital) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
PRC - [2010/01/21 16:27:42 | 002,057,536 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PRC - [2010/01/21 16:24:08 | 000,110,592 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
PRC - [2009/05/21 11:13:58 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2008/12/16 18:33:57 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/06/29 19:15:42 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2008/06/24 13:34:50 | 000,041,824 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\1225072980\ee\aolsoftware.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/17 11:56:08 | 000,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/08/29 10:55:54 | 001,347,584 | R--- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2007/05/11 03:59:23 | 000,349,808 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
PRC - [2007/05/10 23:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/10/11 12:45:12 | 000,075,304 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
PRC - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
PRC - [2006/09/19 16:05:32 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
PRC - [2006/09/14 07:56:06 | 000,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
PRC - [2006/09/14 07:55:52 | 000,061,440 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
PRC - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2004/12/17 10:00:00 | 000,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\WinZip\WZQKPICK.EXE
PRC - [2004/04/21 12:16:02 | 001,434,848 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/10/29 02:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/09/24 11:41:20 | 000,036,954 | -H-- | M] (America Online, Inc.) -- C:\Program Files\America Online 9.0\aoltray.exe
PRC - [2003/08/27 10:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/08/08 14:40:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/10/04 22:07:12 | 000,144,936 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/08/01 13:54:54 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)
SRV - [2010/07/21 14:05:44 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/18 12:20:37 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/01/21 16:24:08 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2008/12/16 18:33:57 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/06/16 09:20:55 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2007/03/20 17:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/09/14 07:56:06 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/04/21 12:16:02 | 001,434,848 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)
SRV - [2003/08/27 10:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Jan\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/18 12:20:42 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/18 12:20:33 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/02 15:17:28 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/06/29 19:15:48 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/24 11:47:06 | 000,900,736 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mosuport.sys -- (mosuport)
DRV - [2007/07/19 22:10:10 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/07/19 18:26:24 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/07/16 19:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/07/16 19:45:26 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522



IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-832801357-3535286217-991096044-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..keyword.URL: "http://search.search-go.net/?sid=10101049100&s="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-go.net/?sid=10101049100&s="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/02 08:57:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/26 19:43:47 | 000,000,000 | ---D | M]

[2010/02/10 21:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\Mozilla\Extensions
[2010/08/10 10:32:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\01nimr6i.default\extensions
[2010/06/06 11:47:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jan\Application Data\Mozilla\Firefox\Profiles\01nimr6i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/10 21:33:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/18 18:14:23 | 000,416,119 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14388 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7922062A-BFDC-4708-9211-F91AAB7D60C7} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (PriceGongCtrl Class) - {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files\PriceGong\1.2.0\PriceGongIE.dll (PriceGong)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1225072980\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - HKU\S-1-5-21-832801357-3535286217-991096044-1006..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-832801357-3535286217-991096044-1006..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-832801357-3535286217-991096044-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-832801357-3535286217-991096044-1006..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - HKU\S-1-5-21-832801357-3535286217-991096044-1006..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\YspService.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O4 - Startup: C:\Documents and Settings\Jan\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-832801357-3535286217-991096044-1006\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/OAS/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB (Hewlett-Packard Printer Diagnostics)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Pictures\surreal landscape.bmp
O24 - Desktop BackupWallPaper: C:\Pictures\surreal landscape.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/06/25 20:12:45 | 000,000,000 | ---D | M] - C:\AUTOS -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/15 20:57:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan\Application Data\PriceGong
[2010/08/15 20:55:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/08/15 20:01:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/15 20:01:14 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/15 20:01:14 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/15 20:01:14 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/13 03:06:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/08/12 23:07:48 | 000,000,000 | ---D | C] -- C:\Outlook Express Folders New
[2010/08/11 13:25:45 | 001,197,904 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jan\Desktop\tdsskiller.exe
[2010/08/10 10:40:51 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/10 10:35:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/10 10:35:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/09 17:37:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/08 14:40:52 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jan\Desktop\OTL.exe
[2010/08/02 10:32:48 | 000,000,000 | ---D | C] -- C:\Annuity Services
[2010/08/01 17:56:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/08/01 17:56:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/08/01 14:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/08/01 14:05:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/29 10:34:55 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec junk
[2010/07/26 19:20:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/26 19:20:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/25 20:45:51 | 000,000,000 | ---D | C] -- C:\Geneology
[2010/07/24 16:07:51 | 000,000,000 | ---D | C] -- C:\Ryan Deiss
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/19 19:06:51 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/19 19:06:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/19 19:06:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/19 19:06:45 | 2136,129,536 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/19 15:31:03 | 010,223,616 | -H-- | M] () -- C:\Documents and Settings\Jan\NTUSER.DAT
[2010/08/19 15:31:03 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jan\ntuser.ini
[2010/08/19 15:24:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/18 19:56:22 | 000,000,309 | ---- | M] () -- C:\WINDOWS\control.ini
[2010/08/18 18:14:23 | 000,416,119 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/18 18:09:25 | 063,580,009 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/08/18 18:07:53 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\MBRCheck.exe
[2010/08/18 12:48:50 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\RKUnhookerLE.EXE
[2010/08/18 12:38:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/15 20:50:18 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/15 20:49:29 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100818-181423.backup
[2010/08/15 19:59:25 | 003,817,761 | R--- | M] () -- C:\Documents and Settings\Jan\Desktop\ComboFix2.exe
[2010/08/15 19:38:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jan\defogger_reenable
[2010/08/15 19:36:48 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\Defogger.exe
[2010/08/15 19:29:10 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/14 19:22:50 | 000,002,415 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dell Support Center.lnk
[2010/08/13 16:03:19 | 001,447,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/13 03:10:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/13 03:08:42 | 000,503,854 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/13 03:08:42 | 000,442,796 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/13 03:08:42 | 000,071,936 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 13:25:45 | 001,197,904 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jan\Desktop\tdsskiller.exe
[2010/08/10 13:33:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100812-221020.backup
[2010/08/10 10:41:00 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/10 10:25:15 | 003,818,105 | R--- | M] () -- C:\Documents and Settings\Jan\Desktop\ComboFix.exe
[2010/08/08 14:53:02 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\hxrzh470.exe
[2010/08/08 14:40:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan\Desktop\OTL.exe
[2010/08/08 13:36:39 | 000,079,264 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\avg_blocked_message 20100808.jpg
[2010/08/04 17:49:21 | 000,000,156 | ---- | M] () -- C:\WINDOWS\Twunk001.MTX
[2010/08/04 17:49:21 | 000,000,005 | ---- | M] () -- C:\WINDOWS\Twain001.Mtx
[2010/08/02 16:31:09 | 000,037,458 | ---- | M] () -- C:\WINDOWS\System32\vtpkt
[2010/08/01 13:51:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa_junk.dbl
[2010/07/29 21:04:07 | 000,415,869 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100804-172209.backup
[2010/07/29 13:22:55 | 000,057,095 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\avg_blocked_message.jpg
[2010/07/27 21:11:56 | 000,000,010 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2010/07/27 18:31:30 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\gmer.zip
[2010/07/27 18:19:26 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Jan\Desktop\dds.scr
[2010/07/27 01:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2010/07/26 20:21:07 | 000,414,984 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100729-210407.backup
[2010/07/25 21:22:25 | 000,000,996 | ---- | M] () -- C:\WINDOWS\win.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/18 12:48:50 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\RKUnhookerLE.EXE
[2010/08/17 17:03:19 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\MBRCheck.exe
[2010/08/15 20:33:46 | 2136,129,536 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/15 20:01:14 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/15 20:01:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/15 20:01:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/15 20:01:14 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/15 20:01:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/15 19:59:18 | 003,817,761 | R--- | C] () -- C:\Documents and Settings\Jan\Desktop\ComboFix2.exe
[2010/08/15 19:38:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jan\defogger_reenable
[2010/08/15 19:36:47 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\Defogger.exe
[2010/08/10 10:41:00 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/10 10:40:54 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/10 10:25:13 | 003,818,105 | R--- | C] () -- C:\Documents and Settings\Jan\Desktop\ComboFix.exe
[2010/08/08 14:53:02 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\hxrzh470.exe
[2010/08/08 13:36:36 | 000,079,264 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\avg_blocked_message 20100808.jpg
[2010/08/03 13:46:47 | 000,002,184 | ---- | C] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/02 16:31:09 | 000,037,458 | ---- | C] () -- C:\WINDOWS\System32\vtpkt
[2010/07/29 13:22:55 | 000,057,095 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\avg_blocked_message.jpg
[2010/07/27 18:31:28 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\gmer.zip
[2010/07/27 18:19:26 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Jan\Desktop\dds.scr
[2009/04/26 16:05:44 | 000,000,053 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2008/12/16 18:48:27 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/08/20 19:33:57 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2008/08/20 19:32:57 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2008/08/20 19:28:31 | 000,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2008/07/21 21:20:46 | 000,000,201 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2008/06/28 20:26:07 | 000,000,059 | ---- | C] () -- C:\WINDOWS\System32\PConfig.ini
[2008/06/28 20:25:58 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\ppspCoInst.dll
[2008/06/28 20:25:56 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\MosUSBSerPropPage.dll
[2008/06/28 20:25:56 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\MosUSBParPropPage.dll
[2008/06/28 20:25:56 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\dbgmsgcfg.dll
[2008/06/28 20:25:55 | 000,900,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\mosuport.sys
[2008/06/21 19:43:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\MSVolume.dll
[2008/06/16 09:25:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/16 08:53:45 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll
[2008/06/16 08:53:37 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/06/16 08:52:08 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/01/14 16:54:04 | 000,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
< End of report >


#40 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 20 August 2010 - 03:35 AM

Hi, still some things to fix here.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    O2 - BHO: (PriceGongCtrl Class) - {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files\PriceGong\1.2.0\PriceGongIE.dll (PriceGong)

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#41 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 20 August 2010 - 04:17 PM

Done. Here it is!

All processes killed
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}\ deleted successfully.
C:\Program Files\PriceGong\1.2.0\PriceGongIE.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 49152 bytes
->Temporary Internet Files folder emptied: 175232 bytes

User: Jan
->Temp folder emptied: 23910566 bytes
->Temporary Internet Files folder emptied: 16552354 bytes
->Java cache emptied: 3077693 bytes
->FireFox cache emptied: 43384769 bytes
->Flash cache emptied: 4463869 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 163974 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 30565 bytes
->Flash cache emptied: 10847 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 84736 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 88.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08202010_160900

Files\Folders moved on Reboot...
C:\Documents and Settings\Jan\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
C:\Documents and Settings\Jan\Local Settings\Temp\~DF59D8.tmp moved successfully.
C:\Documents and Settings\Jan\Local Settings\Temporary Internet Files\Content.IE5\M3MYX3G5\iframe[1].htm moved successfully.
C:\Documents and Settings\Jan\Local Settings\Temporary Internet Files\Content.IE5\7KOWJR4C\topic335310-30[1].htm moved successfully.
C:\Documents and Settings\Jan\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...


#42 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 21 August 2010 - 02:09 AM

Hello, do you have any problems left?

UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#43 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 21 August 2010 - 03:51 PM

Elise,

I updated Java and ran Malwarebytes. Below is the log.

The computer had seemed to be running slow, but seems better now. I haven't been doing a lot with it. One thing I noticed when I first had this problem was with Outlook Express. I was trying to export my messages. It gives me an error message that says, "The export could not be performed. An error occured while initializing MAPI." I still get the error. I have no idea if it would have gotten that error before, as I've never tried the export before.

Another thing I just thought of...a couple of months ago I had an issue with my Yahoo email address sending out bogus emails. Yahoo support said it was likely a worm from someone else's computer, but didn't indicate that it was any kind of problem. After that, whenever I used Yahoo chat to chat with a friend of mine, he said that on his end whenever I was typing, instead of it saying "_____ is typing" it would say something like "_________ is typing and chewing gum at the same time" or "______ is having an "aha" moment." I didn't notice anything else on my computer at the time. I haven't chatted with anyone on this computer since we've been working on it. Not sure if all that's important or not, and I had forgotten about it.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4458

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/21/2010 3:34:01 PM
mbam-log-2010-08-21 (15-34-01).txt

Scan type: Quick scan
Objects scanned: 134551
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7922062a-bfdc-4708-9211-f91aab7d60c7} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7922062a-bfdc-4708-9211-f91aab7d60c7} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PriceGong (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Jan\Application Data\PriceGong (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\1.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\a.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\b.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\c.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\d.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\e.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\f.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\g.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\h.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\i.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\J.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\k.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\l.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\m.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\mru.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\n.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\o.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\p.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\q.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\r.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\s.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\t.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\u.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\v.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\w.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\x.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\y.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jan\Application Data\PriceGong\Data\z.xml (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.


#44 moonmaid

moonmaid
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 21 August 2010 - 04:48 PM

Another comment...it looks like I'm still getting Google redirects sometimes.

#45 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,431 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:03 AM

Posted 22 August 2010 - 02:14 AM

If you have a router, please reset it. They quite often get hijacked and cause problems like redirects.

Also, please download a new copy of combofix, run it and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users