Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2003 Virus Issue


  • This topic is locked This topic is locked
39 replies to this topic

#1 jqkunz

jqkunz

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 November 2010 - 12:47 PM

Hi all and thanks in advance for any help.
I am running a server 2003 on my network that contracted a nasty virus.
My server runs NAV normally and I also put Malwarebytes and SuperAntiSpyware on to see if I could fix this issue.
They both seem to find items that NAV overlooks but none of them are able to remove it completely.
I have also downloaded Highjackthis and created a log since the dds program wouldn't run on server 2003.
This is a current log after scanning with malwarebytes and not doing a reboot. I am unable to reboot until later in the day when my plant shuts down.
Some of the symptoms of the virus are being redirected in firefox and IE, also popup windows, odd error messages. Yesterday before I wasn't able to open any programs to try and fix the issue, NAV Malwarebytes SAS Control Panel or any other item I tried to run would automatically be shut down.
Last night I rebooted the server in safe mode and was able to run the malwarebytes and SAS and get things running fairly normal but I know it is not completely gone.
Posted below is my highjackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:10 AM, on 11/17/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\iscsiexe.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
C:\PROGRA~1\QQESTS~1\TIMEFO~1\CLOCKL~1\ClockLinkService.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe
C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe
C:\Program Files\Pervasive Software\PSQL\bin\NTDBSMGR.EXE
c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe
c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\windows\system32\inetsrv\w3wp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:23012
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\ninja.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NtWqIVLZEWZU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Lr2.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: ClockLink Scheduler.lnk = C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedLoader.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169735738472
O17 - HKLM\System\CCS\Services\Tcpip\..\{2020FBB2-3540-443C-BAE7-ED3F3628A01B}: NameServer = 198.60.22.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{2020FBB2-3540-443C-BAE7-ED3F3628A01B}: NameServer = 198.60.22.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{2020FBB2-3540-443C-BAE7-ED3F3628A01B}: NameServer = 198.60.22.22
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Areca HTTP Proxy Server (ArcHttpProxyServer) - Unknown owner - C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe
O23 - Service: Symantec Embedded Database (ASANYs_sem5) - iAnywhere Solutions, Inc. - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ClockLink Scheduler (ClockLink) - Qqest Software Systems - C:\PROGRA~1\QQESTS~1\TIMEFO~1\CLOCKL~1\ClockLinkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive PSQL Relational Engine (Pervasive.SQL (relational)) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe
O23 - Service: Pervasive PSQL Transactional Engine (Pervasive.SQL (transactional)) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe
O23 - Service: Symantec Endpoint Protection Manager (semsrv) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
O23 - Service: TimeForce Advanced Server (ServiceTimeForce) - Qqest Software Systems - c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TimeForce Punches (TFPunches) - Qqest Software Systems - c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe
O23 - Service: TimeForce Punch Processing Queue (TFPunchProcessQueue) - Qqest Software Systems - c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe

--
End of file - 8668 bytes


Thank you,
jqkunz

Just an update, have run SAS and Malwarebytes and they come up clean. I am still having the browser redirect issue. I am assuming that my winlogon.exe and explorer.exe are still infected.
I am not sure how I would go about replacing these files since the OS is server 2003 and the drives are raid drives and I couldn't just plug one in to another pc to xfer the files.
Any ideas would be appreciated.
Thanks,
Jqkunz

EDIT: Posts merged ~BP

Edited by Budapest, 18 November 2010 - 04:24 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 27 November 2010 - 09:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 29 November 2010 - 10:25 AM

Hi, thanks for taking up this post.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 29 November 2010 - 05:08 PM

I am still having the browser redirect issue. I am assuming that my winlogon.exe and explorer.exe are still infected.


Server 2003 is not an area I have had much experience with but I have cleaned a network previously. I apologise in advance if I ask you to run tools which are not compatible.

Please run TDSSKiller for me. Your symptoms seem to be a rootkit. Your suspicion that it is Bamital - which infects the two files you name - is fair based on the symptoms but how did you come to the conclusion that the files are infected?


  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 29 November 2010 - 05:47 PM

Reason I thought it was this virus is just from the symptoms. I did the scan with the TDSSKiller and it came up empty. Also the log was saved to the desktop, not sure if that matters or not. Posted below is the log file.


2010/11/29 15:42:16.0656 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/11/29 15:42:16.0656 ================================================================================
2010/11/29 15:42:16.0656 SystemInfo:
2010/11/29 15:42:16.0656
2010/11/29 15:42:16.0656 OS Version: 5.2.3790 ServicePack: 2.0
2010/11/29 15:42:16.0656 Product type: Server
2010/11/29 15:42:16.0656 ComputerName: DEATHSTAR
2010/11/29 15:42:16.0656 UserName: Administrator
2010/11/29 15:42:16.0656 Windows directory: C:\WINDOWS
2010/11/29 15:42:16.0656 System windows directory: C:\WINDOWS
2010/11/29 15:42:16.0656 Processor architecture: Intel x86
2010/11/29 15:42:16.0656 Number of processors: 2
2010/11/29 15:42:16.0656 Page size: 0x1000
2010/11/29 15:42:16.0656 Boot type: Normal boot
2010/11/29 15:42:16.0656 ================================================================================
2010/11/29 15:42:20.0015 Initialize success
2010/11/29 15:42:22.0968 ================================================================================
2010/11/29 15:42:22.0968 Scan started
2010/11/29 15:42:22.0968 Mode: Manual;
2010/11/29 15:42:22.0968 ================================================================================
2010/11/29 15:42:24.0062 ACPI (a0a850bac6f8a88ad0fc964c6bea170d) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/29 15:42:24.0093 ACPIEC (043c89cc533ff546d835cb998b95b198) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/29 15:42:24.0171 aec (53847f4df76170ac87bb441c39edb5f1) C:\WINDOWS\system32\drivers\aec.sys
2010/11/29 15:42:24.0218 AFD (3b144724ac4540a367e6dc134bacd6aa) C:\WINDOWS\System32\drivers\afd.sys
2010/11/29 15:42:24.0328 arcm_x86 (14bfb8271ac3f0bee2f9cd76456fb7fe) C:\WINDOWS\system32\drivers\arcm_x86.sys
2010/11/29 15:42:24.0375 AsyncMac (a35b971f631d4dfdeb68d71e770d2ce9) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/29 15:42:24.0375 atapi (ff953a8f08ca3f822127654375786bbe) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/29 15:42:24.0421 Atmarpc (d12dad5032285343ce3aa4906f661181) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/29 15:42:24.0453 audstub (5bfd980c2107d88101d1dc14055526fc) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/29 15:42:24.0468 Beep (99572503e15a3d10239b7b9887cbaf89) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/29 15:42:24.0500 cbidf2k (1342877de604a5a6bff986e288e3a8a7) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/29 15:42:24.0531 Cdfs (e6d72780c957b69c48bfc66bc3ecdad4) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/29 15:42:24.0562 Cdrom (825aa877a852ecc731fa0c39c8c37744) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/29 15:42:24.0609 ClusDisk (54308cdf97622fae1620bb1ec39ef014) C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
2010/11/29 15:42:24.0718 crcdisk (0ee27d9dbb208c13314f3c60f66aed26) C:\WINDOWS\system32\DRIVERS\crcdisk.sys
2010/11/29 15:42:24.0796 DfsDriver (444726b01c31d29c70e60f7c35de43e5) C:\WINDOWS\system32\drivers\Dfs.sys
2010/11/29 15:42:24.0828 Disk (98433302c02f1168efb7364f8111a179) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/29 15:42:24.0875 dmboot (89fa376d83042f6f1aed505106a5719d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/29 15:42:24.0890 dmio (15081421ee62dc1c95abb387d9081571) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/29 15:42:24.0921 dmload (3d9bfa13b6f1cd2d91c50c52b32e91a2) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/29 15:42:24.0953 DMusic (f22e49c8681116e2fd74d7021aa32f13) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/29 15:42:25.0000 drmkaud (3f31fa82741d2b1c53e4144ef817444e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/29 15:42:25.0031 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/11/29 15:42:25.0062 Fastfat (e792a18abdc32286212dce8e75baa124) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/29 15:42:25.0093 Fdc (5090cd3f6ab1d71ad507953cff556ea9) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/29 15:42:25.0109 Fips (b485ac2edc466c538bdff32bc3f2e506) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/29 15:42:25.0140 Flpydisk (c621a51f415419a3145a5939abde39fa) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/29 15:42:25.0171 FltMgr (f978277ef786532195cdd9f88e908632) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/29 15:42:25.0187 Fs_Rec (aebff3d810b74971b91b2b77b289a98b) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/29 15:42:25.0218 Ftdisk (4c533b70afa917416aec57fcbeecb57d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/29 15:42:25.0250 Gpc (30b1653a955f548352024a5fee203cc3) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/29 15:42:25.0296 HdAudAddService (d9f3b9310cf37bea9ad4031bd977cee4) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/11/29 15:42:25.0328 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/29 15:42:25.0390 HTTP (7a5d176c4b43f0a47da4051c96c56439) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/29 15:42:25.0453 i8042prt (68e8ff9eeaf8b37a66cac2c57835ffbd) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/29 15:42:25.0531 imapi (44c132b35921b54b4a9ac64369d86d83) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/29 15:42:25.0593 ip6fw (d7e7e7898a05c53dd862b49828747c1e) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/29 15:42:25.0609 IpFilterDriver (5a41f207b7c39ee4918f7496a4f19b14) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/29 15:42:25.0640 IpNat (890e7a14a63aec2ea9257a79a88be784) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/29 15:42:25.0671 IPSec (1a9aeac49683b32df55b7fb1516f3028) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/29 15:42:25.0703 IRENUM (11407ee682a2d5b0248de8af0f1a6996) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/29 15:42:25.0734 isapnp (b71ba04a3b5d4404225ccdbf1969078f) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/29 15:42:25.0765 iScsiPrt (7e1d2253d4c576e51134dc9f65a6ae87) C:\WINDOWS\system32\DRIVERS\msiscsi.sys
2010/11/29 15:42:25.0796 Kbdclass (e5097a07e14f36abc21fa18d88f93655) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/29 15:42:25.0812 kmixer (80e7673fda20c7baca5749bbb2797866) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/29 15:42:25.0859 KSecDD (9a99005e1a41ab360de231fb8e2f6184) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/29 15:42:25.0921 mnmdd (c35bb38904d843c0465858195b30dab7) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/29 15:42:25.0953 Modem (81ec1c6d3798b36a92a6d7a355ba2c62) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/29 15:42:25.0984 Mouclass (aa50da5ab638ce0bab5f7d5d633110c2) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/29 15:42:26.0000 MountMgr (fc43a7a34309c750b9daeadf2f6ec9b9) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/29 15:42:26.0031 MRxDAV (ab6db63a1791f8e86b085291686464fd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/29 15:42:26.0078 MRxSmb (da38b4528a78a1adab76e28669f2a6e7) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/29 15:42:26.0109 Msfs (8f50b87361585763841c6b603d23260c) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/29 15:42:26.0171 MSKSSRV (baa279ecaaff6564ba289d38be2e1e83) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/29 15:42:26.0171 MSPCLOCK (5d3de11af7f2adf006fb723b0f6b2afa) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/29 15:42:26.0203 MSPQM (ee4171d3f3ceaa7386561aad262f8bd3) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/29 15:42:26.0218 mssmbios (92afab2f216ce8ffbad3bc510fcf4a33) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/29 15:42:26.0250 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/11/29 15:42:26.0281 Mup (e0c7b0d27376d7341fc0a0797476adec) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/29 15:42:26.0312 NDIS (33739ab31d36184772af1ee132d5c2e2) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/29 15:42:26.0328 NdisTapi (bbab8ce7a8d2b1302da0b03825d9cae4) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/29 15:42:26.0359 Ndisuio (8b8e682b03483092e17ab9dfe70fedff) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/29 15:42:26.0375 NdisWan (1b397eef4614419be5679e0209f7848b) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/29 15:42:26.0406 NDProxy (d3ced37468b3303ef0c8b24b0585390f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/29 15:42:26.0421 NetBIOS (a0d5d6ae530ca78a062fc0471f1e6f78) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/29 15:42:26.0453 NetBT (5cd7cca08498ec8753b22e92d367ca11) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/29 15:42:26.0515 Npfs (d5bb605f6dcbdfe0129670c8de57913e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/29 15:42:26.0546 Ntfs (482ea51aadb8763a0f67588c394ec693) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/29 15:42:26.0578 Null (5db0ede7aaf3a7bc9110d18c12524be0) C:\WINDOWS\system32\drivers\Null.sys
2010/11/29 15:42:26.0765 nv (0edced32b4efa27bc3afb3a256f31b77) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/29 15:42:26.0812 Parport (ee3333b36deb86a0d472f037172da10a) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/29 15:42:26.0843 PartMgr (4eb6f7418959444a06d3c51eb81bff04) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/29 15:42:26.0859 Parvdm (a9d29f3d7ae71b7ea721b53a0c436c66) C:\WINDOWS\system32\DRIVERS\parvdm.sys
2010/11/29 15:42:26.0875 PCI (8217000e5c53ce823b3111f339e47c41) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/29 15:42:26.0906 PCIIde (7e3fb50aa22d4ed883c6abdd40e9c60b) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/29 15:42:26.0937 Pcmcia (fc9f4c9c73e9698357c836be4628a299) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/29 15:42:27.0078 PptpMiniport (4454f2639bcca93be86a45137e427277) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/29 15:42:27.0078 Processor (1872fd9ebf85d7375bfa53f36663a699) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/29 15:42:27.0109 Ptilink (0320fd91fb5ed4298355977cecfc0eb4) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/29 15:42:27.0250 RasAcd (48ee7b6802c0306f9a66f34db7e9ef75) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/29 15:42:27.0281 Rasl2tp (3633175613e052ecb41776dee2777a89) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/29 15:42:27.0296 RasPppoe (59842f0a22216a71cade6f89fe84c973) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/29 15:42:27.0328 Raspti (5b11871de804d3ed28bbdcc65fe14ede) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/29 15:42:27.0359 Rdbss (4496b15c44ccb703fbc54f2cf5b67f15) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/29 15:42:27.0375 RDPCDD (ac5bb528ecd2bea4ff4bff9df9baf749) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/29 15:42:27.0406 rdpdr (ff678596b761e1ccba79f49981ef51bc) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/29 15:42:27.0437 RDPWD (477d7af3c3583eb85e23375225650b1c) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/29 15:42:27.0468 redbook (c6f8751f3263603935866e71629cfae4) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/29 15:42:27.0515 sacdrv (34d79729d6e4d1289e08322405045085) C:\WINDOWS\system32\drivers\sacdrv.sys
2010/11/29 15:42:27.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/29 15:42:27.0593 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/29 15:42:27.0640 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/29 15:42:27.0671 serenum (b261d4597bf9a2723b7020207260c72a) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/29 15:42:27.0703 Serial (95768fde08dd34089aa90dccb5537704) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/29 15:42:27.0718 Sfloppy (831826dc54fa225f0b654ef2f1e13af9) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/29 15:42:27.0796 splitter (b49a94bf901af449c25f41a3cfaaae6b) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/29 15:42:27.0859 Srv (a0356a7f9bb65096aa901fd266061b8e) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/29 15:42:27.0890 swenum (93965919785102ba847545ab460ce2df) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/29 15:42:27.0921 swmidi (e28a71b057f89abe9e3133548d3fbc1d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/29 15:42:28.0031 sysaudio (e69064b5e7e85201db55fad909912fd0) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/29 15:42:28.0078 Tcpip (238dc2b879d1b37b91f8d5d44f3815d3) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/29 15:42:28.0109 TDPIPE (45d49fb800463de84d1cc2e231319ad5) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/29 15:42:28.0125 TDTCP (d7c31008de209b8b11ced207580e9c91) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/29 15:42:28.0156 TermDD (a01e46fff445a38d35db188c5458582c) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/29 15:42:28.0218 Udfs (c26024265a7523312a5d06fc33aa57aa) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/29 15:42:28.0265 Update (424421053064846a85d32b048ea27e7e) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/29 15:42:28.0312 usbehci (9dd4aba9462938734bcbf51d8669c884) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/29 15:42:28.0343 usbhub (17859937740bc0d422fe71a588d6ddf7) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/29 15:42:28.0359 usbohci (910b3b46da0fb5520988f351d0719342) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/29 15:42:28.0390 USBSTOR (d0740ff9f7e819486e88096826b4dc37) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/29 15:42:28.0406 vga (2eb062b434792bb6bb614f107dd3a5cf) C:\WINDOWS\system32\DRIVERS\vgapnp.sys
2010/11/29 15:42:28.0437 VgaSave (062fbc10147fd837d819f94aa394e661) C:\WINDOWS\System32\drivers\vga.sys
2010/11/29 15:42:28.0468 VolSnap (45ae67c387a640ec6e228f30d421f088) C:\WINDOWS\system32\DRIVERS\volsnap.sys
2010/11/29 15:42:28.0500 Wanarp (ce030b1d05a01fa012d32f2d25676b1c) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/29 15:42:28.0546 wdmaud (fd5a720d7997ab69122c96cdd014d43a) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/29 15:42:28.0593 WLBS (d346e2f289f23e557ddfb9132d1dab35) C:\WINDOWS\system32\DRIVERS\wlbs.sys
2010/11/29 15:42:28.0750 ================================================================================
2010/11/29 15:42:28.0750 Scan finished
2010/11/29 15:42:28.0750 ================================================================================
2010/11/29 15:44:41.0390 Deinitialize success

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 29 November 2010 - 06:01 PM

Can you next run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 29 November 2010 - 06:04 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Server 2003, Standard Edition
Windows Information: Service Pack 2 (build 3790)
Logical Drives Mask: 0x020000fd

Kernel Drivers (total 112):
0x80800000 \WINDOWS\system32\ntkrnlpa.exe
0x80A5A000 \WINDOWS\system32\hal.dll
0xF7707000 \WINDOWS\system32\KDCOM.DLL
0xF770F000 \WINDOWS\system32\BOOTVID.dll
0xF7352000 ACPI.sys
0xF7487000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF733C000 pci.sys
0xF7497000 isapnp.sys
0xF7717000 pciide.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74B7000 MountMgr.sys
0xF7315000 ftdisk.sys
0xF771F000 dmload.sys
0xF72E9000 dmio.sys
0xF72BF000 volsnap.sys
0xF74C7000 PartMgr.sys
0xF72A2000 atapi.sys
0xF7727000 arcm_x86.sys
0xF7283000 \WINDOWS\system32\drivers\SCSIPORT.SYS
0xF74D7000 disk.sys
0xF7270000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF724B000 fltmgr.sys
0xF74E7000 Dfs.sys
0xF7225000 KSecDD.sys
0xF7B4A000 Ntfs.sys
0xF76C8000 NDIS.sys
0xF7206000 Mup.sys
0xF74F7000 crcdisk.sys
0xB6E10000 \SystemRoot\system32\DRIVERS\processr.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB32B2000 \SystemRoot\system32\DRIVERS\parport.sys
0xF79CF000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB329F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA2DC000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF75F7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB328A000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7617000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB7426000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB3260000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB3238000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xB3210000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB31FB000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB31E7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB31C0000 \SystemRoot\system32\DRIVERS\ks.sys
0xB2E00000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB2DE4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB3BC6000 \SystemRoot\system32\DRIVERS\watchdog.sys
0xB73FE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB2DD0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7587000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB2DB7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9F10000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB2DA5000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB3BB6000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB3BA6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB3B96000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB2D6E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB33A6000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB2D46000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0xB2D31000 \SystemRoot\system32\DRIVERS\iscsiprt.sys
0xB57CA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB2CE7000 \SystemRoot\system32\DRIVERS\update.sys
0xB3396000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB3386000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB2752000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB57C8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB2728000 \SystemRoot\system32\drivers\HdAudio.sys
0xB26FF000 \SystemRoot\system32\drivers\portcls.sys
0xB26EA000 \SystemRoot\system32\drivers\drmk.sys
0xB3356000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF781F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7817000 \SystemRoot\System32\Drivers\Null.SYS
0xF7807000 \SystemRoot\System32\Drivers\Beep.SYS
0xB3346000 \SystemRoot\System32\drivers\vga.sys
0xF77D7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBAB52000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB3336000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB3326000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA160000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB2691000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB3316000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB25FD000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB25D3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB25A2000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB6DE0000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB2578000 \SystemRoot\System32\drivers\afd.sys
0xB6DD0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB2556000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF77F7000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB2526000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB24B0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB249F000 \SystemRoot\System32\Drivers\Fips.SYS
0xB248A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA28C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBA2BC000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0xB742E000 \SystemRoot\System32\Drivers\dump_arcm_x86.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB7A46000 \SystemRoot\System32\drivers\Dxapi.sys
0xBF9D1000 \SystemRoot\System32\drivers\dxg.sys
0xB8FD6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9E8000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB74C4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB741E000 \SystemRoot\system32\DRIVERS\parvdm.sys
0xB1A20000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1778000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1080000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB101D000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB0DFA000 \SystemRoot\system32\drivers\wdmaud.sys
0xB0DE7000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C800000 \WINDOWS\system32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
284 C:\WINDOWS\system32\smss.exe
336 csrss.exe
360 C:\WINDOWS\system32\winlogon.exe
408 C:\WINDOWS\system32\services.exe
420 C:\WINDOWS\system32\lsass.exe
592 C:\WINDOWS\system32\svchost.exe
660 svchost.exe
724 svchost.exe
748 svchost.exe
776 C:\WINDOWS\system32\svchost.exe
832 C:\WINDOWS\system32\iscsiexe.exe
956 C:\WINDOWS\system32\rundll32.exe
1012 C:\WINDOWS\system32\spoolsv.exe
1036 msdtc.exe
1200 C:\WINDOWS\system32\ServerAppliance\appmgr.exe
1216 C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe
1232 C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
1264 C:\PROGRA~1\QQESTS~1\TIMEFO~1\CLOCKL~1\ClockLinkService.exe
1332 C:\WINDOWS\system32\ServerAppliance\elementmgr.exe
1376 C:\WINDOWS\system32\svchost.exe
1444 C:\WINDOWS\system32\inetsrv\inetinfo.exe
1464 C:\Program Files\Java\jre6\bin\jqs.exe
1504 MsDtsSrvr.exe
1692 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
1708 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
1860 C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe
1876 C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe
1900 svchost.exe
1920 C:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe
1948 C:\Program Files\Pervasive Software\PSQL\bin\ntdbsmgr.exe
2264 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
2284 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2300 C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe
2344 C:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe
2416 C:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe
2560 C:\WINDOWS\system32\svchost.exe
2676 C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
2816 C:\WINDOWS\system32\svchost.exe
2972 alg.exe
3008 wmiprvse.exe
3316 C:\WINDOWS\explorer.exe
3400 C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedTray.exe
3476 C:\Program Files\Java\jre6\bin\jusched.exe
3504 C:\WINDOWS\system32\ctfmon.exe
3516 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
3520 C:\WINDOWS\system32\svchost.exe
3636 C:\WINDOWS\system32\inetsrv\w3wp.exe
3652 C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrvGUI.exe
3496 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Lr1.exe
3848 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1084 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3716 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000018`ffeb7a00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\Z: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ArecaARC-1220-VOL#00, Rev: R001
PhysicalDrive1 Model Number: ArecaARC-1220-VOL#01, Rev: R001
PhysicalDrive3 Model Number: WD3200BEV External, Rev: 1.05
PhysicalDrive2 Model Number: WD3200BEV External, Rev: 1.05
PhysicalDrive4 Model Number: IETVIRTUAL-DISK, Rev:

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
298 GB \\.\PhysicalDrive3 RE: Unknown MBR code
SHA1: 2BE9ACE700A45722604874D4A10E3B6A212931F3
298 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: 2BE9ACE700A45722604874D4A10E3B6A212931F3
888 GB \\.\PhysicalDrive4 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 29 November 2010 - 06:09 PM

The MBRCheck shows non-standard or infected. In this case it's non-standard

Please run OTL, it's a good scanner which works on 2003 I believe.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#9 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 29 November 2010 - 06:22 PM

OTL logfile created on: 11/29/2010 4:17:55 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 55.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 100.00 Gb Total Space | 65.23 Gb Free Space | 65.23% Space Free | Partition Type: NTFS
Drive E: | 198.01 Gb Total Space | 183.62 Gb Free Space | 92.73% Space Free | Partition Type: NTFS
Drive F: | 298.02 Gb Total Space | 229.51 Gb Free Space | 77.01% Space Free | Partition Type: NTFS
Drive G: | 298.09 Gb Total Space | 283.08 Gb Free Space | 94.96% Space Free | Partition Type: NTFS
Drive H: | 298.09 Gb Total Space | 283.04 Gb Free Space | 94.95% Space Free | Partition Type: NTFS
Drive Z: | 888.90 Gb Total Space | 846.67 Gb Free Space | 95.25% Space Free | Partition Type: NTFS

Computer Name: DEATHSTAR | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Administrator\Local Settings\Temp\Lr1.exe ()
PRC - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Pervasive Software\PSQL\bin\ntdbsmgr.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe (Qqest Software Systems)
PRC - C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedTray.exe (Qqest Software Systems)
PRC - c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe (Qqest Software Systems)
PRC - c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe (Qqest Software Systems)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe (Symantec Corporation)
PRC - c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe (Qqest Software Systems)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe (iAnywhere Solutions, Inc.)
PRC - C:\WINDOWS\system32\inetsrv\w3wp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\iscsiexe.exe (Microsoft Corporation)
PRC - C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrvGUI.exe ()
PRC - C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe ()
PRC - C:\WINDOWS\system32\ServerAppliance\elementmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServerAppliance\appmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (WinHttpAutoProxySvc) -- File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (Pervasive.SQL (relational)) -- C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe (Pervasive Software Inc.)
SRV - (Pervasive.SQL (transactional)) -- C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe (Pervasive Software Inc.)
SRV - (ClockLink) -- C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe (Qqest Software Systems)
SRV - (TFPunchProcessQueue) -- c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe (Qqest Software Systems)
SRV - (TFPunches) -- c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe (Qqest Software Systems)
SRV - (semsrv) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe (Symantec Corporation)
SRV - (ServiceTimeForce) -- c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe (Qqest Software Systems)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (ASANYs_sem5) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe (iAnywhere Solutions, Inc.)
SRV - (Tssdis) -- C:\WINDOWS\system32\tssdis.exe (Microsoft Corporation)
SRV - (RSoPProv) -- C:\WINDOWS\system32\rsopprov.exe (Microsoft Corporation)
SRV - (Pop3Svc) -- C:\WINDOWS\system32\pop3server\pop3svc.exe (Microsoft Corporation)
SRV - (NtFrs) -- C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
SRV - (LicenseService) -- C:\WINDOWS\system32\llssrv.exe (Microsoft Corporation)
SRV - (IsmServ) -- C:\WINDOWS\system32\ismserv.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (MSFtpsvc) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (Dfs) -- C:\WINDOWS\system32\dfssvc.exe (Microsoft Corporation)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (MSiSCSI) -- C:\WINDOWS\system32\iscsiexe.exe (Microsoft Corporation)
SRV - (ArcHttpProxyServer) -- C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe ()
SRV - (msvsmon80) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)
SRV - (elementmgr) -- C:\WINDOWS\system32\ServerAppliance\elementmgr.exe (Microsoft Corporation)
SRV - (appmgr) -- C:\WINDOWS\system32\ServerAppliance\appmgr.exe (Microsoft Corporation)
SRV - (TrkSvr) -- C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
SRV - (sacsvr) -- C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SRV - (srvcsurg) -- C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (IpInIp) -- C:\WINDOWS\System32\DRIVERS\ipinip.sys File not found
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (WLBS) -- C:\WINDOWS\system32\drivers\wlbs.sys (Microsoft Corporation)
DRV - (ClusDisk) -- C:\WINDOWS\system32\drivers\clusdisk.sys (Microsoft Corporation)
DRV - (DfsDriver) -- C:\WINDOWS\system32\drivers\Dfs.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (arcm_x86) -- C:\WINDOWS\system32\drivers\arcm_x86.sys (ARECA Technology Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\hdaudio.sys (Windows ® Server 2003 DDK provider)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:23012

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/11 11:57:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/08/23 14:36:20 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2003/03/25 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\hdashcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [fswsvcjj] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xhskotxyx\emeegsktsbl.exe File not found
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [HJRUDZ5DT2] C:\Documents and Settings\Administrator\Local Settings\Temp\Lr1.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [vvaenahu] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\thjjodxia\eegqwyptsbl.exe File not found
O4 - HKLM..\RunOnce: [ClockLink Scheduler] C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedLoader.exe (Qqest Software Systems)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Areca HTTP Proxy Server GUI.lnk = C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrvGUI.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ClockLink Scheduler.lnk = C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedLoader.exe (Qqest Software Systems)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169735738472 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\system32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/25 07:07:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/29 16:16:47 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/18 11:32:44 | 001,344,088 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/11/18 11:25:18 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/11/18 08:46:43 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/11/17 16:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2010/11/17 09:35:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/11/17 09:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2010/11/17 09:24:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/11/16 16:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/11/16 16:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/11/16 16:19:19 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/11/16 14:58:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/11/16 14:17:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/11/16 13:54:29 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/11/16 13:28:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/11/16 13:28:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/16 13:28:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/16 13:28:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/16 13:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/11/16 13:13:16 | 000,536,064 | ---- | C] (Igor Pavlov) -- C:\WINDOWS\System32\RegShellSM.exe
[2010/11/16 13:13:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/29 16:17:58 | 000,000,304 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/11/29 16:16:33 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/29 16:05:46 | 000,000,612 | ---- | M] () -- C:\WINDOWS\TimeForce.ini
[2010/11/29 16:05:12 | 000,000,401 | ---- | M] () -- C:\clockslist.sql
[2010/11/29 16:02:44 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/11/29 15:47:29 | 000,597,150 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/29 15:47:29 | 000,122,040 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/29 15:41:04 | 000,000,183 | ---- | M] () -- C:\WINDOWS\ClockLinkService.ini
[2010/11/29 15:40:57 | 000,000,328 | -HS- | M] () -- C:\WINDOWS\tasks\Wlcvqyx.job
[2010/11/29 15:40:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/29 15:36:34 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/29 15:29:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500UA.job
[2010/11/29 09:29:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500Core.job
[2010/11/28 18:38:00 | 001,344,088 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/11/17 10:34:05 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/11/17 09:29:12 | 000,002,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/11/17 09:29:12 | 000,002,362 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/16 16:42:15 | 095,250,016 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\regbackup.reg
[2010/11/16 16:19:20 | 000,001,718 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/11/16 14:00:40 | 003,910,362 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/16 13:54:44 | 000,001,774 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/11/16 13:28:15 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/16 13:14:28 | 000,105,984 | RHS- | M] () -- C:\WINDOWS\System32\adptifr.dll
[2010/11/16 13:13:22 | 000,536,064 | ---- | M] (Igor Pavlov) -- C:\WINDOWS\System32\RegShellSM.exe
[2010/11/10 12:25:22 | 000,000,822 | ---- | M] () -- C:\WINDOWS\System32\ErrorStatus.xml
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/29 16:02:59 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/11/29 15:41:46 | 000,000,304 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/11/29 15:37:40 | 000,002,068 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Areca HTTP Proxy Server GUI.lnk
[2010/11/29 15:37:40 | 000,001,788 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
[2010/11/29 15:37:40 | 000,001,746 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2010/11/18 11:25:02 | 003,910,362 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/17 10:34:10 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/11/17 09:29:12 | 000,002,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/11/17 09:29:12 | 000,002,362 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/17 09:24:55 | 000,001,010 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500UA.job
[2010/11/17 09:24:55 | 000,000,958 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500Core.job
[2010/11/16 16:42:07 | 095,250,016 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\regbackup.reg
[2010/11/16 16:19:20 | 000,001,718 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/11/16 13:54:30 | 000,001,774 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/11/16 13:28:15 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/16 13:14:28 | 000,000,328 | -HS- | C] () -- C:\WINDOWS\tasks\Wlcvqyx.job
[2010/11/16 13:14:27 | 000,105,984 | RHS- | C] () -- C:\WINDOWS\System32\adptifr.dll
[2009/11/17 12:16:38 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\BTRDRVR.SYS
[2008/04/09 08:24:32 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\d3d9caps.dat
[2007/11/08 10:17:46 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI
[2007/01/31 08:03:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/01/25 14:09:03 | 000,000,183 | ---- | C] () -- C:\WINDOWS\ClockLinkService.ini
[2007/01/25 12:50:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2007/01/25 12:04:53 | 000,000,612 | ---- | C] () -- C:\WINDOWS\TimeForce.ini
[2007/01/25 12:04:53 | 000,000,275 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/25 08:56:17 | 000,000,184 | ---- | C] () -- C:\WINDOWS\bti.ini
[2007/01/25 08:53:16 | 000,000,190 | ---- | C] () -- C:\Program Files\Common Files\psasetup.log
[2007/01/25 08:53:06 | 000,043,760 | ---- | C] () -- C:\WINDOWS\System32\nwlocale.dll
[2007/01/25 07:29:51 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/01/25 07:29:51 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/01/25 07:29:48 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2007/01/25 07:29:46 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/01/25 07:29:45 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/01/25 07:29:42 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/01/25 07:19:25 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/01/25 07:19:22 | 000,000,481 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/01/25 07:19:18 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/01/25 00:02:56 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/06/29 07:25:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/29 07:25:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/29 07:25:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/29 07:25:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/29 07:25:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/29 07:25:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/29 07:25:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/03/24 20:44:26 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2003/03/25 05:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2003/03/25 05:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2003/03/25 05:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2003/03/25 05:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2003/03/25 05:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini

========== LOP Check ==========

[2007/11/29 07:35:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Aatrix Software
[2010/01/21 15:57:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Aatrix Software
[2009/05/11 11:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pervasive Software
[2010/11/29 15:38:31 | 000,032,510 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt
[2010/11/29 15:40:57 | 000,000,328 | -HS- | M] () -- C:\WINDOWS\Tasks\Wlcvqyx.job
[2010/11/29 16:17:58 | 000,000,304 | -H-- | M] () -- C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

========== Purity Check ==========



< End of report >


OTL Extras logfile created on: 11/29/2010 4:17:55 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 55.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 100.00 Gb Total Space | 65.23 Gb Free Space | 65.23% Space Free | Partition Type: NTFS
Drive E: | 198.01 Gb Total Space | 183.62 Gb Free Space | 92.73% Space Free | Partition Type: NTFS
Drive F: | 298.02 Gb Total Space | 229.51 Gb Free Space | 77.01% Space Free | Partition Type: NTFS
Drive G: | 298.09 Gb Total Space | 283.08 Gb Free Space | 94.96% Space Free | Partition Type: NTFS
Drive H: | 298.09 Gb Total Space | 283.04 Gb Free Space | 94.95% Space Free | Partition Type: NTFS
Drive Z: | 888.90 Gb Total Space | 846.67 Gb Free Space | 95.25% Space Free | Partition Type: NTFS

Computer Name: DEATHSTAR | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05A9FF7A-9F6C-46CF-9EAD-8752184DE99F}" = Microsoft SQL Server VSS Writer
"{0A3238D7-AC32-1030-B717-F3E3F18B4A8C}" = Pervasive PSQL v10 SP3 Server Engine (32-bit)
"{0B0DBAF6-00EB-4F88-9D91-17ADEF14D3A5}" = CYMA IV Accounting for Windows
"{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}" = Microsoft SQL Server 2005 Books Online (English)
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel® PRO Network Connections 11.2.0.69
"{2373A92B-1C1C-4E71-B494-5CA97F96AA19}" = Microsoft SQL Server 2005
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2A3E2C03-021C-440B-AA81-E020B92DD29F}" = CYMA IV Accounting for Windows
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{4D0F6CBC-1C63-4590-818E-1BCB37B5BA01}" = Microsoft SQL Server Native Client
"{4D6340A0-51FC-4683-9481-9573DFBAC566}" = ClockLink For TimeForceŽ
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{66A189CF-12DB-4106-955D-35B098BE0835}" = CYMA IV Accounting for Windows
"{7D589A98-0D4A-4F46-BEAB-6031E6364D6C}" = SQLXML4
"{7DDBF079-32B2-4811-A9F5-902320CB9AB4}" = CYMA IV Accounting for Windows
"{896F46E4-73C7-470C-90FB-8802CFAB7284}" = ArcHttpSrvGUI
"{8E005B6E-B2DC-413E-9CEB-93DB2C110A26}" = Microsoft SQL Server 2005 Backward compatibility
"{90032DD0-ABEE-4424-AC1E-B076BDD4E350}" = Microsoft SQL Server 2005 Tools
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91C01344-1C76-44F1-B7A5-EC1E8A432EB5}" = CYMA State Payroll Reporting - FMS
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4F8313B-0E21-478B-B289-BFB7736CA7AA}" = Remote Administration Tools
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C25EF637-BE7A-4761-9B45-9069989C319F}" = Microsoft Visual Studio 2005 Premier Partner Edition - ENU
"{C62F89DE-6225-422D-881E-2115FA3BC332}" = CYMA IV Accounting for Windows
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA8148D7-585B-4011-AC5B-6AED4C8E6BAB}" = SAP
"{E0A41F96-7231-4AE8-A654-EEB34F935462}" = Microsoft SQL Server 2005 Integration Services
"{F21BC620-4230-41D7-8505-36ED42263B35}" = Symantec Endpoint Protection Manager
"{F83B8D2B-51AD-4D71-8F03-0EC25B30C69D}" = CYMA IV Accounting for Windows
"{FA68071D-A095-4B3E-967D-FFCCBA0D486E}" = CYMA IV Accounting for Windows
"ClockLink For TimeForceŽ" = ClockLink For TimeForceŽ
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{91C01344-1C76-44F1-B7A5-EC1E8A432EB5}" = CYMA State Payroll Reporting - FMS
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Pervasive PSQL v10 SP3 Server Engine (32-bit)" = Pervasive PSQL v10 SP3 Server Engine (32-bit)
"WIC" = Windows Imaging Component
"Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/17/2010 12:18:35 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 1:14:09 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 2:03:05 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 3:21:39 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 3:21:41 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 6:35:56 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 6:36:00 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 6:36:01 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 6:52:04 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 11/17/2010 6:52:49 PM | Computer Name = DEATHSTAR | Source = Symantec AntiVirus | ID = 16711731
Description =

[ System Events ]
Error - 8/23/2010 5:46:44 PM | Computer Name = DEATHSTAR | Source = iScsiPrt | ID = 54
Description = Initiator Service failed to respond in time to a request to encrypt
or decrypt data.

Error - 8/25/2010 12:47:34 PM | Computer Name = DEATHSTAR | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAINTAINANCE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{2020FBB2-354. The master browser is stopping or an election is being
forced.

Error - 8/26/2010 12:17:48 PM | Computer Name = DEATHSTAR | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAINTAINANCE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{2020FBB2-354. The master browser is stopping or an election is being
forced.

Error - 8/27/2010 5:05:27 PM | Computer Name = DEATHSTAR | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAINTAINANCE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{2020FBB2-354. The master browser is stopping or an election is being
forced.

Error - 8/28/2010 1:27:50 PM | Computer Name = DEATHSTAR | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAINTAINANCE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{2020FBB2-354. The master browser is stopping or an election is being
forced.

Error - 8/28/2010 1:28:00 PM | Computer Name = DEATHSTAR | Source = NetBT | ID = 4321
Description = The name "WOOKIE :1d" could not be registered on the Interface
with IP address 192.168.1.254. The machine with the IP address 192.168.1.27 did
not allow the name to be claimed by this machine.

Error - 8/30/2010 10:43:35 AM | Computer Name = DEATHSTAR | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAINTAINANCE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{2020FBB2-354. The master browser is stopping or an election is being
forced.

Error - 8/30/2010 11:55:32 AM | Computer Name = DEATHSTAR | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAINTAINANCE-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{2020FBB2-354. The master browser is stopping or an election is being
forced.

Error - 8/30/2010 11:59:37 AM | Computer Name = DEATHSTAR | Source = NetBT | ID = 4321
Description = The name "WOOKIE :1d" could not be registered on the Interface
with IP address 192.168.1.254. The machine with the IP address 192.168.1.27 did
not allow the name to be claimed by this machine.

Error - 9/2/2010 6:19:35 PM | Computer Name = DEATHSTAR | Source = iScsiPrt | ID = 54
Description = Initiator Service failed to respond in time to a request to encrypt
or decrypt data.


< End of report >

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 29 November 2010 - 08:50 PM

There's still a few traces of malware on the log.

Do you know what this might relate to?

[2010/11/29 15:40:57 | 000,000,328 | -HS- | M] () -- C:\WINDOWS\tasks\Wlcvqyx.job


It looks and acts like malware but appears to have been modified just before this legitimate file

C:\WINDOWS\ClockLinkService.ini



If you do and it's legitimate then please remove the line from the script below.


Open OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:23012
O4 - HKCU..\Run: [HJRUDZ5DT2] C:\Documents and Settings\Administrator\Local Settings\Temp\Lr1.exe ()
O4 - HKCU..\Run: [fswsvcjj] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xhskotxyx\emeegsktsbl.exe File not found
O4 - HKCU..\Run: [vvaenahu] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\thjjodxia\eegqwyptsbl.exe File not found
[2010/11/29 15:40:57 | 000,000,328 | -HS- | M] () -- C:\WINDOWS\tasks\Wlcvqyx.job
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image
m0le is a proud member of UNITE

#11 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 30 November 2010 - 10:06 AM

Here is the log, the fix completed in just a few seconds and did not ask me to reboot.
I have not tried opening IE to see if the problem still exists, I wanted to check with you first.
Thanks,
Jonah


========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\HJRUDZ5DT2 deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Lr1.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\fswsvcjj deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vvaenahu deleted successfully.
C:\WINDOWS\tasks\Wlcvqyx.job moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.17.3 log created on 11302010_080325

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 30 November 2010 - 07:21 PM

Please rerun OTL on a Scan and post the log.

You can check to see if the redirections are still present and let me know too. :)
Posted Image
m0le is a proud member of UNITE

#13 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 01 December 2010 - 10:21 AM

Here is the log file and I tried IE and I am still being redirected.



OTL logfile created on: 12/1/2010 8:15:23 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 8.00% Memory free
6.00 Gb Paging File | 2.00 Gb Available in Paging File | 33.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 100.00 Gb Total Space | 65.04 Gb Free Space | 65.04% Space Free | Partition Type: NTFS
Drive E: | 198.01 Gb Total Space | 183.60 Gb Free Space | 92.72% Space Free | Partition Type: NTFS
Drive F: | 298.02 Gb Total Space | 240.33 Gb Free Space | 80.64% Space Free | Partition Type: NTFS
Drive G: | 298.09 Gb Total Space | 283.05 Gb Free Space | 94.95% Space Free | Partition Type: NTFS
Drive H: | 298.09 Gb Total Space | 283.02 Gb Free Space | 94.94% Space Free | Partition Type: NTFS
Drive Z: | 888.90 Gb Total Space | 846.63 Gb Free Space | 95.24% Space Free | Partition Type: NTFS

Computer Name: DEATHSTAR | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Lr1.exe File not found
PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Pervasive Software\PSQL\bin\ntdbsmgr.exe (Pervasive Software Inc.)
PRC - C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe (Qqest Software Systems)
PRC - C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedTray.exe (Qqest Software Systems)
PRC - c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe (Qqest Software Systems)
PRC - c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe (Qqest Software Systems)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe (Symantec Corporation)
PRC - c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe (Qqest Software Systems)
PRC - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\LUALL.EXE (Symantec Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe (iAnywhere Solutions, Inc.)
PRC - C:\WINDOWS\system32\inetsrv\w3wp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe (Adobe Systems Incorporated)
PRC - C:\WINDOWS\system32\iscsiexe.exe (Microsoft Corporation)
PRC - C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrvGUI.exe ()
PRC - C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe ()
PRC - C:\WINDOWS\system32\ServerAppliance\elementmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServerAppliance\appmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
MOD - C:\WINDOWS\system32\ws03res.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (WinHttpAutoProxySvc) -- File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (Pervasive.SQL (relational)) -- C:\Program Files\Pervasive Software\PSQL\bin\w3sqlmgr.exe (Pervasive Software Inc.)
SRV - (Pervasive.SQL (transactional)) -- C:\Program Files\Pervasive Software\PSQL\bin\ntbtrv.exe (Pervasive Software Inc.)
SRV - (ClockLink) -- C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\ClockLinkService.exe (Qqest Software Systems)
SRV - (TFPunchProcessQueue) -- c:\Inetpub\wwwroot\qqest\Utilities\TFProcessingQueue.exe (Qqest Software Systems)
SRV - (TFPunches) -- c:\Inetpub\wwwroot\qqest\Utilities\TimeForcePunches.exe (Qqest Software Systems)
SRV - (semsrv) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe (Symantec Corporation)
SRV - (ServiceTimeForce) -- c:\Inetpub\wwwroot\qqest\Utilities\TimeForceServices.exe (Qqest Software Systems)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (ASANYs_sem5) -- C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe (iAnywhere Solutions, Inc.)
SRV - (Tssdis) -- C:\WINDOWS\system32\tssdis.exe (Microsoft Corporation)
SRV - (RSoPProv) -- C:\WINDOWS\system32\rsopprov.exe (Microsoft Corporation)
SRV - (Pop3Svc) -- C:\WINDOWS\system32\pop3server\pop3svc.exe (Microsoft Corporation)
SRV - (NtFrs) -- C:\WINDOWS\system32\ntfrs.exe (Microsoft Corporation)
SRV - (LicenseService) -- C:\WINDOWS\system32\llssrv.exe (Microsoft Corporation)
SRV - (IsmServ) -- C:\WINDOWS\system32\ismserv.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (MSFtpsvc) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (Dfs) -- C:\WINDOWS\system32\dfssvc.exe (Microsoft Corporation)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (MSiSCSI) -- C:\WINDOWS\system32\iscsiexe.exe (Microsoft Corporation)
SRV - (ArcHttpProxyServer) -- C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrv.exe ()
SRV - (msvsmon80) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)
SRV - (elementmgr) -- C:\WINDOWS\system32\ServerAppliance\elementmgr.exe (Microsoft Corporation)
SRV - (appmgr) -- C:\WINDOWS\system32\ServerAppliance\appmgr.exe (Microsoft Corporation)
SRV - (TrkSvr) -- C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
SRV - (sacsvr) -- C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
SRV - (srvcsurg) -- C:\WINDOWS\system32\ServerAppliance\srvcsurg.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (IpInIp) -- C:\WINDOWS\System32\DRIVERS\ipinip.sys File not found
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (WLBS) -- C:\WINDOWS\system32\drivers\wlbs.sys (Microsoft Corporation)
DRV - (ClusDisk) -- C:\WINDOWS\system32\drivers\clusdisk.sys (Microsoft Corporation)
DRV - (DfsDriver) -- C:\WINDOWS\system32\drivers\Dfs.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (arcm_x86) -- C:\WINDOWS\system32\drivers\arcm_x86.sys (ARECA Technology Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\hdaudio.sys (Windows ® Server 2003 DDK provider)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2003/03/25 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\hdashcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [{B018A92B-431D-6070-4A85-1CB64B70B539}] C:\Documents and Settings\Administrator\Application Data\Apesof\myqu.exe (GoldWave Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [ClockLink Scheduler] C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedLoader.exe (Qqest Software Systems)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Areca HTTP Proxy Server GUI.lnk = C:\Program Files\Areca Technology Corp\Http Proxy Server Service\ArcHttpSrvGUI.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ClockLink Scheduler.lnk = C:\Program Files\Qqest Software Systems\TimeForce\ClockLink\SchedLoader.exe (Qqest Software Systems)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169735738472 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/25 07:07:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/30 08:03:25 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/30 05:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Equdz
[2010/11/30 05:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Apesof
[2010/11/29 16:16:47 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/18 11:32:44 | 001,344,088 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/11/18 11:25:18 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/11/18 08:46:43 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/11/17 16:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2010/11/17 09:35:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/11/17 09:24:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2010/11/17 09:24:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/11/16 16:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/11/16 16:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/11/16 16:19:19 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/11/16 14:58:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/11/16 14:17:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/11/16 13:54:29 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/11/16 13:28:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/11/16 13:28:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/16 13:28:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/16 13:28:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/16 13:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/11/16 13:13:16 | 000,536,064 | ---- | C] (Igor Pavlov) -- C:\WINDOWS\System32\RegShellSM.exe
[2010/11/16 13:13:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/01 08:05:44 | 000,000,611 | ---- | M] () -- C:\WINDOWS\TimeForce.ini
[2010/12/01 08:05:11 | 000,000,401 | ---- | M] () -- C:\clockslist.sql
[2010/12/01 07:55:00 | 000,000,304 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/12/01 07:29:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500UA.job
[2010/11/30 09:29:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500Core.job
[2010/11/29 16:55:38 | 000,597,150 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/29 16:55:38 | 000,122,040 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/29 16:16:33 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/29 16:02:44 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/11/29 15:41:04 | 000,000,183 | ---- | M] () -- C:\WINDOWS\ClockLinkService.ini
[2010/11/29 15:40:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/29 15:36:34 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/28 18:38:00 | 001,344,088 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/11/17 10:34:05 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/11/17 09:29:12 | 000,002,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/11/17 09:29:12 | 000,002,362 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/16 16:42:15 | 095,250,016 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\regbackup.reg
[2010/11/16 16:19:20 | 000,001,718 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/11/16 14:00:40 | 003,910,362 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/16 13:54:44 | 000,001,774 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/11/16 13:28:15 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/16 13:14:28 | 000,105,984 | RHS- | M] () -- C:\WINDOWS\System32\adptifr.dll
[2010/11/16 13:13:22 | 000,536,064 | ---- | M] (Igor Pavlov) -- C:\WINDOWS\System32\RegShellSM.exe
[2010/11/10 12:25:22 | 000,000,822 | ---- | M] () -- C:\WINDOWS\System32\ErrorStatus.xml
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/29 16:02:59 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/11/29 15:41:46 | 000,000,304 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/11/29 15:37:40 | 000,002,068 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Areca HTTP Proxy Server GUI.lnk
[2010/11/29 15:37:40 | 000,001,788 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
[2010/11/29 15:37:40 | 000,001,746 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2010/11/18 11:25:02 | 003,910,362 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/17 10:34:10 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/11/17 09:29:12 | 000,002,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/11/17 09:29:12 | 000,002,362 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/11/17 09:24:55 | 000,001,010 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500UA.job
[2010/11/17 09:24:55 | 000,000,958 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3058970405-634875250-3406734737-500Core.job
[2010/11/16 16:42:07 | 095,250,016 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\regbackup.reg
[2010/11/16 16:19:20 | 000,001,718 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/11/16 13:54:30 | 000,001,774 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/11/16 13:28:15 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/16 13:14:27 | 000,105,984 | RHS- | C] () -- C:\WINDOWS\System32\adptifr.dll
[2009/11/17 12:16:38 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\BTRDRVR.SYS
[2008/04/09 08:24:32 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\d3d9caps.dat
[2007/11/08 10:17:46 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI
[2007/01/31 08:03:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/01/25 14:09:03 | 000,000,183 | ---- | C] () -- C:\WINDOWS\ClockLinkService.ini
[2007/01/25 12:50:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2007/01/25 12:04:53 | 000,000,611 | ---- | C] () -- C:\WINDOWS\TimeForce.ini
[2007/01/25 12:04:53 | 000,000,275 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/25 08:56:17 | 000,000,184 | ---- | C] () -- C:\WINDOWS\bti.ini
[2007/01/25 08:53:16 | 000,000,190 | ---- | C] () -- C:\Program Files\Common Files\psasetup.log
[2007/01/25 08:53:06 | 000,043,760 | ---- | C] () -- C:\WINDOWS\System32\nwlocale.dll
[2007/01/25 07:29:51 | 000,021,792 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/01/25 07:29:51 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/01/25 07:29:48 | 000,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2007/01/25 07:29:46 | 000,050,666 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/01/25 07:29:45 | 000,010,793 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/01/25 07:29:42 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/01/25 07:19:25 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/01/25 07:19:22 | 000,000,481 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/01/25 07:19:18 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/01/25 00:02:56 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/06/29 07:25:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/29 07:25:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/29 07:25:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/29 07:25:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/29 07:25:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/29 07:25:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/29 07:25:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/03/24 20:44:26 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
[2003/03/25 05:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
[2003/03/25 05:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
[2003/03/25 05:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
[2003/03/25 05:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
[2003/03/25 05:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini

< End of report >

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 01 December 2010 - 05:19 PM

Please run the following removal tools on the machine. I know you have run them already but I'd like to see what they are finding. Make sure you carry out the scans exactly as they are explained too.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#15 jqkunz

jqkunz
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 02 December 2010 - 04:17 PM

Ok, I ran MalwareBytes first and it came up with several things and I had to reboot. Then I did the SAS and it also came up with several things and required a reboot. Posted below are the logs.


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5229

Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

12/2/2010 7:51:11 AM
mbam-log-2010-12-02 (07-51-11).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|Z:\|)
Objects scanned: 321524
Time elapsed: 56 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\HJRUDZ5DT2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ere94fe5o32 (Trojan.FakeAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B018A92B-431D-6070-4A85-1CB64B70B539} (Trojan.ZbotR.Gen) -> Value: {B018A92B-431D-6070-4A85-1CB64B70B539} -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\application data\Apesof\myqu.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2010 at 02:05 PM

Application Version : 4.46.1000

Core Rules Database Version : 5941
Trace Rules Database Version: 3753

Scan type : Complete Scan
Total Scan Time : 03:54:32

Memory items scanned : 596
Memory threats detected : 1
Registry items scanned : 7569
Registry threats detected : 5
File items scanned : 357983
File threats detected : 1

Trojan.Agent/Gen-SDRA
C:\WINDOWS\SYSTEM32\SDRA64.EXE
C:\WINDOWS\SYSTEM32\SDRA64.EXE

Backdoor.Bot[ZBot]
HKU\S-1-5-21-3058970405-634875250-3406734737-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
HKU\S-1-5-21-3058970405-634875250-3406734737-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905}
HKU\S-1-5-21-3058970405-634875250-3406734737-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f}

Malware.Trace
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network#uid [ DEATHSTAR_D83814675254FDDB ]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users