Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS infection causing BSOD on start-up?


  • This topic is locked This topic is locked
20 replies to this topic

#1 scuzzi

scuzzi

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 22 November 2010 - 10:21 PM

This morning as I was researching images for a project thru FireFox, I started getting suspicious results - being directed to attack websites, so I immediately scanned with MBAM (quick option) and found two infections(TDSS); quarantined and deleted. (I have attached the log for your review). Upon restart as requested to complete the removal, my computer didn't get past the Black Windows start screen before cycling into a reboot. I tried again in Safe Mode, same result. I've tried using F8 to boot from last known good config; no success. During any boot, I notice for a fraction of a second before the computer spontaneously resets, there is a BSOD, unfortunately it is displayed so briefly that I cannot tell you anything about what it said.

Now I'm stuck and request your assistance.

Running WinXP SP3 on custom build.

My thanks in advance, scuzzi

Attached Files


Edited by Budapest, 23 November 2010 - 02:03 AM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 22 November 2010 - 10:55 PM

PS....

Thru reading other posts, I discovered how to see the BSOD on restart and the technical info is:
"STOP 0x0000007B (0xF78A2524,0xC0000034,0x00000000,0x00000000)".

Thanks, scuzzi

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:22 PM

Posted 24 November 2010 - 05:47 AM

An expert Malware Response Team member will be along to assist you when possible.

Sit tight and please be patient.

Edited by AustrAlien, 24 November 2010 - 05:53 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,319 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 24 November 2010 - 07:32 AM

Hi scuzzi, do you have an XP CD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 24 November 2010 - 11:20 AM

Thanks for responding so quickly.

I have a WinXP cd; does it need to be the same cd as the current install?

scuzzi

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,319 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 24 November 2010 - 11:45 AM

No, but it has to contain service pack 1 at least.

Please try the following. I will move this topic to a more appropriate forum.

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 25 November 2010 - 03:48 PM

Elise -

Greetings on Thanksgiving Day. I'm most grateful for your assistance.

I did the PEbuild and OTLPE sequences. However, in booting with PE, the original WinXp OS opened and I ran the OTLPE only. (I did run the PE sequence once, but the OTLPE only scanned the CD, not the c drive and never "found" the OTLPE txt or Extras.txt) I have pasted the 2 log results (running directly on the C Drive, not thru PE). While the drive booted successfully, it's boggy and erratic.


[b]OTL logfile created on: 11/25/2010 9:57:50 AM [b]- Run
OTLPE by OldTimer - Version 3.1.43.0 Folder = G:\OTLPE\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 122.07 Gb Total Space | 27.56 Gb Free Space | 22.58% Space Free | Partition Type: NTFS
Drive E: | 312.50 Gb Total Space | 48.82 Gb Free Space | 15.62% Space Free | Partition Type: NTFS
Drive F: | 117.59 Gb Total Space | 24.45 Gb Free Space | 20.80% Space Free | Partition Type: NTFS
Drive G: | 244.44 Mb Total Space | 242.92 Mb Free Space | 99.38% Space Free | Partition Type: FAT
Drive M: | 146.48 Gb Total Space | 61.87 Gb Free Space | 42.24% Space Free | Partition Type: NTFS

Computer Name: SILVERSTONE2 | User Name: Administrator
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- C:\WINDOWS\System32\msippsth.dll -- (TCPIP Pass-through Filter)
SRV - File not found [Auto] -- C:\WINDOWS\System32\spoolsv.exe -- (Spooler)
SRV - [2010/07/30 08:49:49 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/29 15:29:11 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/07/29 09:34:26 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/01/21 15:24:08 | 000,110,592 | ---- | M] (WDC) [Auto] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/06/16 07:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2008/10/10 04:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/03/20 15:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2006/01/04 23:06:02 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand] -- C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | Boot] -- -- (rseb)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (ouagndey)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | Boot] -- C:\WINDOWS\System32\drivers\dmload.sys -- (dmload)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/07/29 15:30:12 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/29 15:30:06 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/07/29 15:30:06 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/07/10 10:03:04 | 001,381,632 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2009/03/15 03:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009/02/13 10:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 04:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/03 18:07:34 | 000,010,240 | ---- | M] (Atola) [Kernel | On_Demand] -- C:\Program Files\A-FF Find and Mount\slicedisk.sys -- (SliceDisk5)
DRV - [2008/03/22 14:37:20 | 000,113,896 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2006/01/19 22:10:50 | 000,363,008 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2001/08/17 06:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 97 3B 23 6C C8 88 CB 01 [binary data]
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/11/25 09:49:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{E2385710-26B4-44A3-83DB-238DF344FCBE}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE} [2010/08/09 20:14:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/28 19:12:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 19:12:58 | 000,000,000 | ---D | M]

[2010/02/15 21:30:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/12 09:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2008/04/14 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500..\Run: [\\JULIA\EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500..\Run: [Auto EPSON Stylus Photo R260 Series on EVO1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500..\Run: [Auto EPSON Stylus Photo R260 Series on JULIA] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500..\Run: [Auto EPSON Stylus Photo R260 Series on WEEONE] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: Error locating startup folders.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-1960408961-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.11.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/14 16:12:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{11fbfaa9-aa5c-11df-a2f4-d0eea4ee37ea}\Shell\AutoRun\command - "" = K:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/20 18:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Print
[2010/11/18 20:25:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Verizon
[2010/11/17 11:21:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\00 nov 17
[2010/11/13 15:04:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Fargo
[2010/11/05 16:48:03 | 000,000,000 | ---D | C] -- C:\New Folder
[2010/11/05 10:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\teaching 10-11
[2010/10/31 08:51:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Ad Hoc
[2010/10/27 20:02:16 | 000,000,000 | ---D | C] -- C:\Program Files\A-FF Find and Mount
[2010/08/06 10:08:04 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/25 09:47:14 | 068,077,397 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/11/25 09:43:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/25 09:43:09 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-1960408961-1417001333-500.job
[2010/11/25 09:43:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/23 15:12:02 | 000,007,500 | ---- | M] () -- C:\WINDOWS\System32\123.js
[2010/11/23 15:12:02 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/23 13:12:06 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/23 12:12:02 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/23 11:12:03 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/23 10:12:04 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/23 09:12:04 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/22 11:19:41 | 000,049,114 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Using Video Surveillance to...pdf
[2010/11/22 10:45:24 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/22 10:45:24 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/22 10:45:24 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/22 10:45:24 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/22 10:41:48 | 001,614,480 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/11/22 08:12:09 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/22 07:12:09 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/22 06:12:09 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/22 05:12:09 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/22 04:12:08 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/22 03:12:08 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/22 02:12:08 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/22 01:12:07 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/22 00:12:07 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/11/22 00:08:14 | 000,174,080 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\mower.doc
[2010/11/21 23:12:07 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/21 23:00:21 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/11/21 22:12:07 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/21 21:12:07 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/21 20:12:06 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/21 19:12:06 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/21 01:00:13 | 000,536,064 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HD drive files Nov2010.doc
[2010/11/19 08:45:55 | 000,003,154 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\scan 111810.csv
[2010/11/19 01:21:16 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-1960408961-1417001333-500.job
[2010/11/19 01:16:56 | 000,465,206 | ---- | M] () -- C:\t2.dwg
[2010/11/18 11:04:08 | 000,483,013 | ---- | M] () -- C:\t2.bak
[2010/11/17 09:44:21 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\start
[2010/11/17 09:37:48 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\completescan
[2010/11/17 09:25:49 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\install
[2010/11/10 21:13:04 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/11/10 08:56:01 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/10 08:56:01 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/28 17:08:11 | 000,528,108 | ---- | M] () -- C:\t3.dwg
[2010/10/28 17:08:11 | 000,528,108 | ---- | M] () -- C:\Documents and Settings\Administrator\t3.bak
[2010/10/28 10:03:33 | 000,522,109 | ---- | M] () -- C:\Documents and Settings\Administrator\t2.bak
[2010/10/28 08:13:32 | 000,551,621 | ---- | M] () -- C:\t1.dwg
[2010/10/28 08:13:32 | 000,551,621 | ---- | M] () -- C:\Documents and Settings\Administrator\t1.bak
[2010/10/27 17:58:14 | 001,632,048 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/22 11:19:41 | 000,049,114 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Using Video Surveillance to...pdf
[2010/11/22 11:12:02 | 000,007,500 | ---- | C] () -- C:\WINDOWS\System32\123.js
[2010/11/22 00:08:14 | 000,174,080 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\mower.doc
[2010/11/21 00:03:10 | 000,536,064 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HD drive files Nov2010.doc
[2010/11/20 14:07:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/11/19 08:45:55 | 000,003,154 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\scan 111810.csv
[2010/11/17 09:38:34 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\start
[2010/11/17 09:37:48 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\completescan
[2010/11/17 09:25:49 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\install
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/11/17 09:24:20 | 000,000,430 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/10/31 12:16:17 | 000,551,621 | ---- | C] () -- C:\t1.dwg
[2010/10/31 12:16:17 | 000,528,108 | ---- | C] () -- C:\t3.dwg
[2010/10/31 12:16:17 | 000,483,013 | ---- | C] () -- C:\t2.bak
[2010/10/31 12:16:17 | 000,465,206 | ---- | C] () -- C:\t2.dwg
[2010/10/31 12:14:54 | 000,551,621 | ---- | C] () -- C:\Documents and Settings\Administrator\t1.bak
[2010/10/31 12:14:54 | 000,528,108 | ---- | C] () -- C:\Documents and Settings\Administrator\t3.bak
[2010/10/31 12:14:54 | 000,522,109 | ---- | C] () -- C:\Documents and Settings\Administrator\t2.bak
[2010/09/26 23:07:36 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\New Microsoft Word Document.doc
[2010/08/09 21:28:07 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/08/09 11:24:09 | 000,002,735 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2010/08/09 11:20:58 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2010/08/06 10:08:07 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.log
[2010/08/06 10:08:04 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\inst.exe
[2010/08/06 10:08:04 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
[2010/08/06 10:08:04 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
[2010/07/30 02:27:44 | 001,614,480 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/07/29 17:25:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/29 11:39:51 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/02/15 23:26:24 | 000,051,200 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/14 20:35:15 | 000,290,918 | ---- | C] () -- C:\WINDOWS\System32\Install7x.dll
[2010/02/14 16:18:01 | 000,007,287 | ---- | C] () -- C:\Documents and Settings\Administrator\ASPNETSetup.log
[2010/02/14 16:08:50 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2010/02/14 16:08:50 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2010/02/14 16:08:49 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2010/02/14 08:39:35 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/11/05 05:42:45 | 000,062,400 | ---- | C] () -- C:\WINDOWS\System32\IFC.dll
[2008/11/05 05:41:56 | 000,422,848 | ---- | C] () -- C:\WINDOWS\System32\PPL.dll
[2003/06/25 00:38:06 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1993/07/23 17:31:02 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\fixdell.cmd:SummaryInformation
< End of report >

OTL Extras logfile created on: 11/25/2010 9:57:50 AM - Run
OTLPE by OldTimer - Version 3.1.43.0 Folder = G:\OTLPE\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 122.07 Gb Total Space | 27.56 Gb Free Space | 22.58% Space Free | Partition Type: NTFS
Drive E: | 312.50 Gb Total Space | 48.82 Gb Free Space | 15.62% Space Free | Partition Type: NTFS
Drive F: | 117.59 Gb Total Space | 24.45 Gb Free Space | 20.80% Space Free | Partition Type: NTFS
Drive G: | 244.44 Mb Total Space | 242.92 Mb Free Space | 99.38% Space Free | Partition Type: FAT
Drive M: | 146.48 Gb Total Space | 61.87 Gb Free Space | 42.24% Space Free | Partition Type: NTFS

Computer Name: SILVERSTONE2 | User Name: Administrator
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1547161642-1960408961-1417001333-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]a
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{232DB76D-4751-41A9-9EC2-CDC0DAC1FAB6}" = WD SmartWare
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{5783F2D7-0111-0409-0010-0060B0CE6BBA}" = Autodesk CAD Manager Tools
"{5783F2D7-8004-0409-0002-0060B0CE6BBA}" = AutoCAD Architecture 2010
"{5783F2D7-8004-0409-1002-0060B0CE6BBA}" = AutoCAD Architecture 2010 Language Pack - English
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.2.3.258
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"{FCD71234-2287-41D2-96AD-3D3C66D60FBC}" = MSI Wireless LAN Card
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"AutoCAD Architecture 2010" = AutoCAD Architecture 2010
"AVG9Uninstall" = AVG Free 9.0
"DVDFab 7_is1" = DVDFab 7.0.9.2 (05/08/2010)
"DVDFab 8_is1" = DVDFab 8.0.0.5 (25/08/2010)
"eMusic Promotion" = 50 FREE MP3s +1 Free Audiobook!
"Find and Mount_is1" = Find and Mount 2.31
"Framing Calculator_is1" = Framing Calculator
"gBurner" = gBurner
"HijackThis" = HijackThis 2.0.2
"hp officejet 7100 series 1281378233" = hp officejet 7100 series
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"IsoBuster_is1" = IsoBuster 2.8
"KeyScrambler" = KeyScrambler
"Magic ISO Maker v5.4 (build 0251)" = Magic ISO Maker v5.4 (build 0251)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Silverlight" = Microsoft Silverlight
"Money2007b" = Microsoft Money 2007 Home & Business
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"nLite_is1" = nLite 1.4.9.1
"PE Builder_is1" = PE Builder 3.1.10a
"Picasa 3" = Picasa 3
"PowerISO" = PowerISO
"RealPlayer 12.0" = RealPlayer
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"uTorrent" = µTorrent
"V3.2_is1" = File Scavenger 3.2
"VLC media player" = VLC media player 1.0.5
"Winamp" = Winamp
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1547161642-1960408961-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Winamp Detect" = Winamp Detector Plug-in

< End of report >

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,319 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 26 November 2010 - 04:27 AM

I'm glad to hear you were able to boot normally now. :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 26 November 2010 - 12:22 PM

Elise -

I downloaded ComboFix and disabled AVG 9 per instructions (actually ended up uninstalling AVG 9 as CF had a conflict I couldn't resolve). However in running CF I get a message saying "File appears to be corrupt; please DL a fresh copy of ComboFix...." (attached Print Screen). Downloading a new copy doesn't appear to have any effect.

Is this a malware suppression or true CF corruption? Please advise.

Thanks, scuzzi

Attached Files

  • Attached File  cf.jpg   25.4KB   2 downloads


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,319 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 26 November 2010 - 12:48 PM

That looks as a genuine message. Please download a new copy and try again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 26 November 2010 - 06:29 PM

Elise -

Ok. I retried from the sick HD and from both sites listed above and came back with the same corrupt message. Tried using Mozilla FF and MS IE; and downloading on different computer and transferring via flash drive. All with same results.

The sick drive started getting squirrelly again and I rebooted - several attempts to get back to WinXP - and downloaded 8 times from each of the two sites. On opening the combofix.exe often would show it loading and then quit without message. After a dozen+ attempts finally got a CF to run. Have posted the log below.

I await your conclusions. scuzzi

ComboFix 10-11-25.06 - Administrator 11/26/2010 16:05:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1711 [GMT -7:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\completescan
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Application Data\install
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Thumbs.db
c:\windows\system\VB40032.DLL
c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdatej+|Cv+@J:NGD_DQ{zcxLJS@)GPfeWU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXu>>>>vlcxLJS@GD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cvte.com
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Service_6to4
-------\Service_TCPIP Pass-through Filter


((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\windows\system32\xircom
2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\windows\system32\wbem\snmp
2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\program files\microsoft frontpage
2010-11-26 16:11 . 2010-11-26 16:11 -------- d-----w- C:\AVGTemp
2010-11-26 16:01 . 2010-11-26 16:02 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-11-20 15:35 . 2010-11-20 15:35 664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\d3d9caps.tmp
2010-11-05 23:48 . 2010-11-05 23:49 -------- d-----w- C:\New Folder
2010-10-28 03:02 . 2010-10-28 03:02 -------- d-----w- c:\program files\A-FF Find and Mount

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 18:11 . 2007-02-02 00:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-09-18 18:23 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-03-08 02:34 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-03-08 02:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2009-03-08 02:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-09 22:39 . 2010-09-09 22:39 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-01 11:48 . 2008-05-27 16:29 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 18:56 . 2010-08-31 18:57 412 ----a-w- C:\fixdell.cmd
2010-08-31 13:38 . 2009-02-09 10:08 1861888 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-07-16 33636352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-14 202256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet 7100 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-6-24 495682]
MSI Wireless Utility.lnk - c:\program files\MSI\Common\RaUI.exe [2010-2-14 425984]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2010-2-14 128000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 3:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [8/27/2010 9:14 AM 113896]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/31/2010 8:24 PM 1381632]
S0 ouagndey;ouagndey; [x]
S0 rseb;rseb; [x]
S3 SliceDisk5;SliceDisk5;c:\program files\A-FF Find and Mount\slicedisk.sys [10/27/2010 8:02 PM 10240]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/16/2010 5:27 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-11-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-1960408961-1417001333-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]

2010-11-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-1960408961-1417001333-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ng2rux3.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ng2rux3.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {E2385710-26B4-44A3-83DB-238DF344FCBE} - c:\documents and settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-\\JULIA\EPSON Stylus Photo R260 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE
AddRemove-PE Builder_is1 - c:\pebuilder3110a\unins000.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,17,a0,c3,12,51,50,4c,bc,0e,60,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,cb,7b,c6,b2,1a,19,42,a1,78,53,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,17,a0,c3,12,51,50,4c,bc,0e,60,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\dfshim.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-11-26 16:17:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-26 23:17

Pre-Run: 29,442,899,968 bytes free
Post-Run: 29,758,849,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

- - End Of File - - 8AF9559F5216AB3396BFC82CB8368A59

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,319 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 27 November 2010 - 08:49 AM

Well, I sure see why Combofix had some trouble running, that was a lot of malware. Including a nasty rootkit. Please read the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
FCopy::
c:\windows\system32\dllcache\spoolsv.exe | c:\windows\System32\spoolsv.exe 

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 27 November 2010 - 02:43 PM

Elise -

I am considering the suggestion in that a complete reformat is the safest/surest solution; and have some questions for experts such as yourself. 1)Do I need to be concerned about the partitions on the HD that don't contain the OS (used for storage)? If I reformat, do I do so for all the partitions? Do I need to be concerned with external HD's used for storage as well - scanned regularly. 3)How did AVG and MBAM not catch anything in regular scanning? Does Keyscrambling have any positive value in an infection such as this? (Altho, I also believe this infection was most recent within the last 10 days max; 5 minimum) 4) in your analysis, is there a major piece of Malware that spawned all this? Short of me going thru a virus/MW list to identify each piece, is there a quicker way to know what infections/files hit this machine?

In the meantime, I ran the CF script and have attached the log below. Thanks for all your assistance. Scuzzi

ComboFix 10-11-25.06 - Administrator 11/27/2010 11:16:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1497 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE}
c:\documents and settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{E2385710-26B4-44A3-83DB-238DF344FCBE}\install.rdf

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\System32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
.

2010-11-27 18:16 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-11-27 06:10 . 2010-11-27 17:27 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2010-11-27 00:54 . 2010-11-27 00:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2010-11-27 00:16 . 2010-11-27 00:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-27 00:15 . 2010-11-27 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-26 23:48 . 2010-11-27 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\windows\system32\xircom
2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\windows\system32\wbem\snmp
2010-11-26 23:13 . 2010-11-26 23:13 -------- d-----w- c:\program files\microsoft frontpage
2010-11-26 16:11 . 2010-11-26 16:11 -------- d-----w- C:\AVGTemp
2010-11-26 16:01 . 2010-11-26 16:02 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-11-05 23:48 . 2010-11-05 23:49 -------- d-----w- C:\New Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 18:11 . 2007-02-02 00:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-09-18 18:23 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-03-08 02:34 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-03-08 02:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2009-03-08 02:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-09 22:39 . 2010-09-09 22:39 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-01 11:48 . 2008-05-27 16:29 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 18:56 . 2010-08-31 18:57 412 ----a-w- C:\fixdell.cmd
2010-08-31 13:38 . 2009-02-09 10:08 1861888 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2009-03-26 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-11-26_23.14.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-11-27 18:06 . 2010-11-27 18:06 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2008-04-14 11:00 . 2008-04-14 11:00 640000 c:\windows\system32\dllcache\dbghelp.dll
+ 2010-11-27 00:14 . 2010-11-27 00:14 219648 c:\windows\Installer\38209b.msi
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2010-11-27 00:16 . 2010-11-27 00:16 3065856 c:\windows\Installer\3820a3.msi
+ 2010-11-27 00:15 . 2010-11-27 00:15 1548288 c:\windows\Installer\38209f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-07-16 33636352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-14 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet 7100 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-6-24 495682]
MSI Wireless Utility.lnk - c:\program files\MSI\Common\RaUI.exe [2010-2-14 425984]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2010-2-14 128000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 3:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [8/27/2010 9:14 AM 113896]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [7/31/2010 8:24 PM 1381632]
S0 ouagndey;ouagndey; [x]
S0 rseb;rseb; [x]
S3 SliceDisk5;SliceDisk5;c:\program files\A-FF Find and Mount\slicedisk.sys [10/27/2010 8:02 PM 10240]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/16/2010 5:27 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-1960408961-1417001333-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]

2010-11-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-1960408961-1417001333-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ng2rux3.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ng2rux3.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-27 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1960408961-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,17,a0,c3,12,51,50,4c,bc,0e,60,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,cb,7b,c6,b2,1a,19,42,a1,78,53,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cd,17,a0,c3,12,51,50,4c,bc,0e,60,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-27 11:22:57
ComboFix-quarantined-files.txt 2010-11-27 18:22
ComboFix2.txt 2010-11-26 23:17

Pre-Run: 22,617,751,552 bytes free
Post-Run: 22,615,785,472 bytes free

- - End Of File - - 7A36EA43AFC5896803145E011C6E152C

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,319 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:22 AM

Posted 27 November 2010 - 03:05 PM

I am considering the suggestion in that a complete reformat is the safest/surest solution; and have some questions for experts such as yourself. 1)Do I need to be concerned about the partitions on the HD that don't contain the OS (used for storage)? If I reformat, do I do so for all the partitions? Do I need to be concerned with external HD's used for storage as well - scanned regularly.

Generally only the Windows partition is affected, however in this case you had a Master Boot Record infection, and personally I would just reformat the complete drive that contains the windows partition.

3)How did AVG and MBAM not catch anything in regular scanning? Does Keyscrambling have any positive value in an infection such as this? (Altho, I also believe this infection was most recent within the last 10 days max; 5 minimum)

Malware is developed and updated a lot faster than most antivirus/antispyware tools. Especially the rootkit you had is very advanced and distributed very clever (exploited sites, drive-by downloads and so on).

4) in your analysis, is there a major piece of Malware that spawned all this? Short of me going thru a virus/MW list to identify each piece, is there a quicker way to know what infections/files hit this machine?

Yes, the major piece was the TDL4 rootkit. This rootkit protects and invites other malware on the machine, it basically takes control of whatever it wants.

I hope this answers your questions. Please let me know how you want to continue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 scuzzi

scuzzi
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 November 2010 - 10:03 PM

Elise -

Thanks for your insightful input on my current situation. For the time being, I need to continue with using the sick drive for a few more weeks until I have time to reformat and regroup. I'll keep the drive offline and use a clean machine for all internet use to minimize fallout.

Please let me know how to proceed repairing the disc. Thanks, scuzzi.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users