Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bamital.DX trojan


  • This topic is locked This topic is locked
33 replies to this topic

#1 JoeyKhor94

JoeyKhor94

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 14 September 2010 - 08:50 AM

Referred from here: http://www.bleepingcomputer.com/forums/topic346835.html ~ OB

I have a trojan which is called Bamital.DX trojan and i have some trouble getting rid of it, here is what happen after i do a full scan with my ESET NOD 32 smart security.



and i was asked to do a OTL scan and post the log here .. so here it is..


OTL logfile created on: 9/14/2010 3:39:22 PM - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Joey\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Netherlands | Language: NLD | Date Format: d-M-yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 457.95 Gb Total Space | 402.59 Gb Free Space | 87.91% Space Free | Partition Type: NTFS
Drive D: | 458.46 Gb Total Space | 457.69 Gb Free Space | 99.83% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOEY-PC
Current User Name: Joey
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/14 15:30:21 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Joey\Desktop\OTL.exe
PRC - [2010/09/12 13:32:49 | 004,597,760 | ---- | M] (GarenaMaster) -- C:\Users\Joey\AppData\Local\Temp\Rar$EX00.585\GM.exe
PRC - [2010/09/07 15:05:36 | 002,524,504 | ---- | M] (Garena Online PTE LTD) -- C:\Program Files (x86)\Garena\Garena.exe
PRC - [2010/09/03 02:58:56 | 000,975,928 | ---- | M] (Google Inc.) -- C:\Users\Joey\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
PRC - [2010/05/07 18:47:32 | 000,114,008 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\logishrd\LVMVFM\LVPrS64H.exe
PRC - [2009/12/09 11:24:16 | 000,076,320 | ---- | M] () -- C:\OEM\USBDECTION\USBS3S4Detection.exe
PRC - [2009/10/13 20:25:54 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/10/13 20:25:30 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/10/01 04:34:22 | 002,314,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2009/10/01 04:33:08 | 000,262,144 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2009/08/28 11:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe
PRC - [2009/07/26 16:44:34 | 003,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/07/04 04:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe


========== Modules (SafeList) ==========

MOD - [2010/09/14 15:30:21 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Joey\Desktop\OTL.exe
MOD - [2010/03/08 23:33:56 | 000,427,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\vbscript.dll
MOD - [2010/01/14 16:08:22 | 000,460,048 | ---- | M] (PC Tools) -- C:\Program Files (x86)\ThreatFire\TFWAH.dll
MOD - [2009/07/14 03:17:54 | 000,242,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\rsaenh.dll
MOD - [2009/07/14 03:16:19 | 000,085,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\wmiutils.dll
MOD - [2009/07/14 03:16:17 | 000,362,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbemcomn.dll
MOD - [2009/07/14 03:16:17 | 000,187,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\wbemdisp.dll
MOD - [2009/07/14 03:16:17 | 000,047,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\wbemsvc.dll
MOD - [2009/07/14 03:16:17 | 000,029,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\wbemprox.dll
MOD - [2009/07/14 03:16:15 | 000,380,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sxs.dll
MOD - [2009/07/14 03:16:13 | 000,045,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\RpcRtRemote.dll
MOD - [2009/07/14 03:16:11 | 000,090,112 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\ntdsapi.dll
MOD - [2009/07/14 03:15:36 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\linkinfo.dll
MOD - [2009/07/14 03:15:21 | 000,828,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\fontext.dll
MOD - [2009/07/14 03:15:21 | 000,093,696 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\SysWOW64\fms.dll
MOD - [2009/07/14 03:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\fastprox.dll
MOD - [2009/07/14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Windows\SysNative\GameMon.des -- (npggsvc)
SRV:64bit: - [2010/08/12 14:18:40 | 000,042,360 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV:64bit: - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe -- (ekrn)
SRV:64bit: - [2010/06/29 19:49:27 | 000,128,752 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/05/07 18:45:16 | 000,197,976 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe -- (LVPrcS64)
SRV:64bit: - [2009/07/14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/04 04:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe -- (Updater Service)
SRV - [2010/07/07 21:27:13 | 000,395,048 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/06/07 21:22:00 | 003,549,224 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2010/03/18 14:27:14 | 000,138,576 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_64)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2010/01/14 16:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Stopped] -- C:\Program Files (x86)\ThreatFire\TFService.exe -- (ThreatFire)
SRV - [2009/12/09 11:24:16 | 000,076,320 | ---- | M] () [Auto | Running] -- C:\OEM\USBDECTION\USBS3S4Detection.exe -- (USBS3S4Detection)
SRV - [2009/10/13 20:25:30 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2009/10/01 04:34:22 | 002,314,240 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/10/01 04:33:08 | 000,262,144 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2009/08/29 03:05:56 | 000,044,312 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Packard Bell GameZone\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService)
SRV - [2009/08/28 11:38:58 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe -- (Greg_Service)
SRV - [2009/08/25 20:38:06 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/07/13 01:08:04 | 000,024,168 | ---- | M] (The Within Network, LLC) [Auto | Stopped] -- C:\Windows\UnsignedThemesSvc.exe -- (UnsignedThemes)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/07/29 13:31:26 | 000,171,152 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfw.sys -- (epfw)
DRV:64bit: - [2010/07/29 13:31:26 | 000,168,544 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm)
DRV:64bit: - [2010/07/29 13:31:26 | 000,141,264 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv)
DRV:64bit: - [2010/07/29 13:31:26 | 000,050,624 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfp.sys -- (epfwwfp)
DRV:64bit: - [2010/07/29 13:31:26 | 000,033,632 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\epfwndis.sys -- (Epfwndis)
DRV:64bit: - [2010/07/27 08:14:24 | 006,465,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam 300(UVC)
DRV:64bit: - [2010/07/27 08:12:16 | 000,339,040 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2010/07/27 08:11:38 | 000,271,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvpopf64.sys -- (lvpopf64)
DRV:64bit: - [2010/05/07 18:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2Mon)
DRV:64bit: - [2010/05/07 18:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2M64)
DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2010/02/17 20:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 20:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2010/01/14 16:08:34 | 000,059,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TfSysMon.sys -- (TfSysMon)
DRV:64bit: - [2010/01/14 16:08:32 | 000,041,888 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\TfNetMon.sys -- (TfNetMon)
DRV:64bit: - [2010/01/14 16:08:30 | 000,065,072 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TfFsMon.sys -- (TfFsMon)
DRV:64bit: - [2009/10/29 10:14:38 | 000,115,824 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2009/10/13 20:16:40 | 000,409,624 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/09/23 11:11:04 | 000,283,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1k62x64.sys -- (e1kexpress) Intel®
DRV:64bit: - [2009/09/17 06:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel®
DRV:64bit: - [2009/08/21 22:24:04 | 000,084,512 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2009/07/14 03:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 03:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 03:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 01:09:20 | 000,030,568 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\uxpatch.sys -- (uxpatch)
DRV:64bit: - [2009/06/10 22:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2005/01/03 17:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.packardbell.com/rdr.aspx?b...15x1h5y45012265
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b...15x1h5y45012265
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.packardbell.com/rdr.aspx?b...15x1h5y45012265
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b...15x1h5y45012265

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.packardbell.com/rdr.aspx?b...15x1h5y45012265
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b...15x1h5y45012265
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010/09/12 09:31:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKCU..\Run: [Logitech Vid] C:\Program Files (x86)\Logitech\Logitech Vid\Vid.exe (Logitech Inc.)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Joey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Productregistratie.lnk = C:\Program Files (x86)\Logitech\Ereg\eReg.exe (Leader Technologies/Logitech)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Free YouTube Download - C:\Users\Joey\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm ()
O8:64bit: - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Joey\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm ()
O8 - Extra context menu item: Free YouTube Download - C:\Users\Joey\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm ()
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Joey\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O9 - Extra 'Tools' menuitem : PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} http://trial.trymicrosoftoffice.com/trialo...osoft/wrc32.ocx (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/14 15:30:15 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Users\Joey\Desktop\OTL.exe
[2010/09/12 18:50:25 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/09/07 15:51:20 | 000,000,000 | ---D | C] -- C:\Users\Joey\Desktop\School
[2010/09/04 14:13:16 | 000,000,000 | ---D | C] -- C:\Users\Joey\Documents\SightSpeed Recordings
[2010/09/04 14:06:45 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\logishrd
[2010/09/04 14:06:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\logishrd
[2010/08/25 11:05:20 | 000,861,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\oleaut32.dll
[2010/08/20 14:26:13 | 000,000,000 | ---D | C] -- C:\Users\Joey\Desktop\celinni
[2010/08/16 13:01:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/08/16 13:01:03 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/08/16 12:55:17 | 000,000,000 | ---D | C] -- C:\Users\Joey\Desktop\Personal project

========== Files - Modified Within 30 Days ==========

[2010/09/14 15:39:53 | 001,810,432 | ---- | M] () -- C:\Users\Joey\NTUSER.DAT
[2010/09/14 15:30:21 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Joey\Desktop\OTL.exe
[2010/09/14 14:52:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4148463772-1436746264-1013026385-1000UA.job
[2010/09/14 14:21:13 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/14 14:21:13 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/14 14:21:13 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/14 07:32:41 | 000,009,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/14 07:32:41 | 000,009,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/14 07:25:32 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/14 07:25:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/14 07:25:26 | 3113,558,016 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/13 23:11:28 | 001,186,962 | -H-- | M] () -- C:\Users\Joey\AppData\Local\IconCache.db
[2010/09/13 22:09:20 | 000,075,161 | ---- | M] () -- C:\Users\Joey\Desktop\10.09.13-FIBA World Championships - Final - USA vs Turkey - 12 September 2010 - HD.torrent
[2010/09/13 20:27:14 | 007,383,007 | ---- | M] () -- C:\Users\Joey\Desktop\GM.rar
[2010/09/13 20:02:45 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs
[2010/09/12 19:52:05 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4148463772-1436746264-1013026385-1000Core.job
[2010/09/10 16:52:53 | 000,002,407 | ---- | M] () -- C:\Users\Joey\Desktop\Google Chrome.lnk
[2010/09/06 16:07:38 | 000,001,122 | ---- | M] () -- C:\Users\Joey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Productregistratie.lnk
[2010/09/04 13:51:40 | 000,086,640 | ---- | M] () -- C:\Users\Joey\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/09/04 02:50:13 | 004,913,304 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/08/28 19:14:30 | 018,223,536 | ---- | M] () -- C:\Users\Joey\Desktop\GarenaUniversalMapHackv7.rar
[2010/08/19 16:33:59 | 000,001,094 | ---- | M] () -- C:\Users\Public\Desktop\Switch to Gaming Mode.lnk
[2010/08/16 12:56:32 | 000,019,026 | ---- | M] () -- C:\Users\Joey\Documents\cc_20100816_125628.reg

========== Files Created - No Company Name ==========

[2010/09/13 22:09:20 | 000,075,161 | ---- | C] () -- C:\Users\Joey\Desktop\10.09.13-FIBA World Championships - Final - USA vs Turkey - 12 September 2010 - HD.torrent
[2010/09/13 20:26:47 | 007,383,007 | ---- | C] () -- C:\Users\Joey\Desktop\GM.rar
[2010/09/06 16:07:38 | 000,001,122 | ---- | C] () -- C:\Users\Joey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Productregistratie.lnk
[2010/08/28 19:09:50 | 018,223,536 | ---- | C] () -- C:\Users\Joey\Desktop\GarenaUniversalMapHackv7.rar
[2010/08/19 16:33:59 | 000,001,094 | ---- | C] () -- C:\Users\Public\Desktop\Switch to Gaming Mode.lnk
[2010/08/16 12:56:31 | 000,019,026 | ---- | C] () -- C:\Users\Joey\Documents\cc_20100816_125628.reg
[2010/07/27 08:03:20 | 010,829,656 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2010/07/27 08:03:18 | 000,290,648 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2010/07/24 01:50:06 | 001,708,695 | ---- | C] () -- C:\Program Files (x86)\xdo64_setup.exe
[2010/01/13 06:38:02 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe
[2010/01/13 06:37:42 | 000,776,614 | ---- | C] () -- C:\Program Files (x86)\Common Files\packardbell.ico
[2009/08/03 09:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2009/08/03 09:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2009/08/03 09:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2009/08/03 09:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== LOP Check ==========

[2010/09/06 16:06:29 | 000,032,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/14 03:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/14 03:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 03:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/14 03:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/14 03:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2008/06/06 14:03:52 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files (x86)\CyberLink\PowerDirector\EventLog.dll

< MD5 for: IASTOR.SYS >
[2009/10/13 20:09:36 | 000,331,288 | ---- | M] (Intel Corporation) MD5=0BAA4115DFFFD6A6D809A89D65E1281A -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2009/10/13 20:16:40 | 000,409,624 | ---- | M] (Intel Corporation) MD5=BE7D72FCF442C26975942007E0831241 -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2009/10/13 20:16:40 | 000,409,624 | ---- | M] (Intel Corporation) MD5=BE7D72FCF442C26975942007E0831241 -- C:\Windows\SysWow64\DriverStore\FileRepository\iaahci.inf_amd64_neutral_6fca727099cdabf1\iaStor.sys

< MD5 for: IASTORV.SYS >
[2009/07/14 03:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 03:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 03:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/14 03:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 03:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/14 03:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 205 bytes -> C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 159 bytes -> C:\ProgramData\Temp:07BF512B
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A8ADE5D8
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:93DE1838
< End of report >

Edited by Orange Blossom, 14 September 2010 - 09:17 AM.


BC AdBot (Login to Remove)

 


#2 JoeyKhor94

JoeyKhor94
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 20 September 2010 - 02:45 PM

bump.. i already waited for 6 days.. can someone please help me ?

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 20 September 2010 - 06:31 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#4 JoeyKhor94

JoeyKhor94
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 21 September 2010 - 01:02 PM

i downloaded combofix but it wasnt compatible with window 7 ):

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 21 September 2010 - 01:03 PM

Okay, please do this next

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Edited by m0le, 21 September 2010 - 01:06 PM.

Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 23 September 2010 - 06:19 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 24 September 2010 - 07:26 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 26 September 2010 - 01:32 PM

Reopened at user's request

-----------------------------------------

Please post away! smile.gif
Posted Image
m0le is a proud member of UNITE

#9 JoeyKhor94

JoeyKhor94
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 26 September 2010 - 02:39 PM

here is the scan log..

i didnt remove anything that is found because they are not recommended to remove.


Sophos Anti-Rootkit Version 1.5.4 © 2009 Sophos Plc
Started logging on 23-9-2010 at 19:03:26
User "Joey" on computer "JOEY-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=3044127475047430[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=5539522184367481[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=2498061780080202[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=6951212432808042[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=9583194689321252[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=2426392024994083[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=1868138842619900[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\;42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=271252327193301[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=9660150233668418[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=3293038386474581[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=3282451364668886[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=4982312658210632[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=1036862148389571[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=8424747481466032[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=8433655708714043[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=2200094698363505[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=9669055684678120[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=7023942274068359[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=9266426418882064[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=4901054755867503[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=6588620418259583[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=7760616047537346[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\;42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=967839622078709[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=6965637292636020[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\way=vod;section_1=player;section_2=garena_v2;=;u=%7Cpagename-gmp%7Cgateway-vod%7Csection_1-player%7Csection_2-garena_v2%7C-;sz=728x90;tile=1;ord=340921740263080500[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=1082938761949839[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=4435216742658486[1]
Hidden: file C:\ProgramData\PPLive\Core\resconfig\¹«Ö÷¼̃µ½(µÚ13¼¯)[2].mp4.tpp.cfg
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=4391902961990994[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=9064260021243460[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=1657679336928108[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=7039965901013951[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=8489878671220841[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=1016741491464517[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\;42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=359188807382945[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPZ0FOHY\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=7175951018295106[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\;42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=759390831856168[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\;42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=776363756129627[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GGOHWYE4\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=5834545153886428[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYCGWO2V\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=6263835340937591[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=3099783922971165[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C7RLQGKW\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=8218615736126588[1]
Hidden: file C:\Windows\SysWOW64\wininit.exe
Hidden: file C:\Program Files (x86)\Internet Explorer\iexplore.exe
Info: Starting disk scan of D: (NTFS).
Stopped logging on 23-9-2010 at 19:18:22


Sophos Anti-Rootkit Version 1.5.4 © 2009 Sophos Plc
Started logging on 23-9-2010 at 19:21:48
User "Joey" on computer "JOEY-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Info: Starting disk scan of D: (NTFS).
Stopped logging on 23-9-2010 at 19:34:00


Sophos Anti-Rootkit Version 1.5.4 © 2009 Sophos Plc
Started logging on 26-9-2010 at 15:17:31
User "Joey" on computer "JOEY-PC"
Windows version 6.1 SP 0.0 build 7600 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\ProgramData\PPLive\Core\resconfig\ResourceInfo.dat.tmp
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QRNGR9OH\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=8923460852983824[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HEFSWRBD\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=2054724134770990[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LMQU7JEU\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=7708308539266029[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\847V6XYX\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=1;sz=234x60;ord=5501547678877969[1]
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QRNGR9OH\format3[5].html
Hidden: file C:\Users\Joey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LMQU7JEU\42=value;43=value;44=value;45=value;46=value;47=value;48=value;49=value;50=value;51=value;52=value;53=value;54=value;55=value;tile=3;sz=728x90;ord=7314476689856411[1]

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 26 September 2010 - 05:14 PM

Okay, please rerun OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

CODE
:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
@Alternate Data Stream - 205 bytes -> C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 159 bytes -> C:\ProgramData\Temp:07BF512B
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A8ADE5D8
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:93DE1838
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Finally, run System Look so we can find some replacements for the infected system files

Please download SystemLook from the link below and save it to your Desktop.
Download Mirror #1
  • Double-click [b]SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    wininit.exe
    iexplore.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by m0le, 26 September 2010 - 05:18 PM.

Posted Image
m0le is a proud member of UNITE

#11 JoeyKhor94

JoeyKhor94
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 27 September 2010 - 07:12 AM

here is the OTL log

========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\Temp:07BF512B deleted successfully.
ADS C:\ProgramData\Temp:A8ADE5D8 deleted successfully.
ADS C:\ProgramData\Temp:93DE1838 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.14.1 log created on 09272010_132751

MBAM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4702

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

27-9-2010 13:59:34
mbam-log-2010-09-27 (13-59-34).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 261246
Time elapsed: 30 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SystemLook log

SystemLook 27.08.10 by jpshortstuff
Log created at 14:00 on 27/09/2010 by Joey
Administrator - Elevation successful

========== filefind ==========

Searching for "wininit.exe"
C:\Windows\System32\wininit.exe --a---- 129024 bytes [23:52 13/07/2009] [01:39 14/07/2009] 94355C28C1970635A31B3FE52EB7CEBA
C:\Windows\SysWOW64\wininit.exe --a---- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] (Unable to calculate MD5)
C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe --a---- 129024 bytes [23:52 13/07/2009] [01:39 14/07/2009] 94355C28C1970635A31B3FE52EB7CEBA
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe ------- 96256 bytes [23:36 13/07/2009] [01:14 14/07/2009] B5C5DCAD3899512020D135600129D665

Searching for "iexplore.exe"
C:\32788R22FWJFW\iexplore.exe --a---- 31232 bytes [18:04 21/09/2010] [10:56 20/04/2009] AE72E8619CB31D84DA25E2435E55003C
C:\32788R22FWJFW\License\iexplore.exe --a---- 256512 bytes [18:04 21/09/2010] [13:58 26/04/2010] F1FBA6185A6A2BC6456970914875078E
C:\Program Files\Internet Explorer\iexplore.exe --a---- 696600 bytes [23:58 13/07/2009] [01:43 14/07/2009] F2B0D41E1D08D0B2006DF5AA2E74C81E
C:\Program Files (x86)\Internet Explorer\iexplore.exe --a---- 673048 bytes [23:43 13/07/2009] [01:17 14/07/2009] (Unable to calculate MD5)
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7600.16385_none_0f6595383e78c6f8\iexplore.exe --a---- 696600 bytes [23:58 13/07/2009] [01:43 14/07/2009] F2B0D41E1D08D0B2006DF5AA2E74C81E
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7600.16385_none_19ba3f8a72d988f3\iexplore.exe ------- 673048 bytes [23:43 13/07/2009] [01:17 14/07/2009] 2C32E3E596CFE660353753EABEFB0540

-= EOF =-


and there is my NOD32 anti virus detected a new unknown virus...



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 27 September 2010 - 08:31 AM

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

CODE
@echo off
copy C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe C:\wininit.exe
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7600.16385_none_19ba3f8a72d988f3\iexplore.exe C:\iexplore.exe
del %0


Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:
CODE
DeleteFile:
C:\Windows\System32\wininit.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe

MoveFile:
C:\wininit.exe C:\windows\System32\wininit.exe
C:\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe c:\windows\sysWOW64\wininit.exe

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, post me the report created by Blitzblank.
Posted Image
m0le is a proud member of UNITE

#13 JoeyKhor94

JoeyKhor94
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 27 September 2010 - 09:14 AM

it says "Syntax error in line 3,Invalid File path" when i clicked execute now sad.gif ?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 AM

Posted 27 September 2010 - 12:13 PM

Try this again with the following scripts.


Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

CODE
@echo off
copy C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe C:\wininit.exe
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7600.16385_none_19ba3f8a72d988f3\iexplore.exe C:\iexplore.exe
del %0


Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:
CODE
DeleteFile:
C:\Windows\System32\wininit.exe
C:\Program Files(x86)\Internet Explorer\iexplore.exe

MoveFile:
C:\wininit.exe C:\windows\System32\wininit.exe
C:\iexplore.exe C:\Program Files(x86)\Internet Explorer\iexplore.exe
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe c:\windows\sysWOW64\wininit.exe

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, post me the report created by Blitzblank.


Posted Image
m0le is a proud member of UNITE

#15 JoeyKhor94

JoeyKhor94
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 27 September 2010 - 01:42 PM

i still get the same error .. sad.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users