Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HAVE SOME TYPE OF VIRUS OR WORM


  • This topic is locked This topic is locked
25 replies to this topic

#1 Bluefox76

Bluefox76

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 08 February 2011 - 08:25 PM

Hello.. I have a Toshiba Satellite laptop with Intel Celeron 1.50 GB of RAM if it matters.. I'm running Windows XP Home edition 2002 Service Pack 3.. I thought that I had the Google Redirect virus, but I have followed many steps to remove the problem and nothing seems to be working. So far I have done the basics like running Spybot, super Anti Spyware and Ad-Aware as well as my Norton's software.. I also downloaded Hitman Pro which always found things, but it never fixed the problem.. none of these scans (which were all run in safe mode) turned up anything so I formatted my computer and reinstalled Windows.. the problem was still there so I went to some forums and it was suggested that I didn't completely wipe the drive, I followed some steps and reinstalled Windows again, but it didn't work. So I went back to some forums and followed some instructions like checking my LAN settings to make sure that the proxy settings box is not checked off and the automatic configuration box is checked for settings.. everything was fine there. I also checked internet protocol properties and made sure that the IP address and DNS settings are set for automatic.. Finally, I went into my C drive, into the Windows folder, into system 32 and the drivers folder and then etc folder and right clicked on hosts.. everything looked proper there as well. So my next step was to run the TDSS Killer.. it didn't find anything so I ran Malwarebytes, found nothing, ran Emisisoft Anti-Malware and it did find some files so I deleted them.. then I ran Windows Malicious Software tool and found nothing. I ran CC Cleaner and then I flushed the DNS cache. I rebooted my computer back into Normal Mode and went onto Google and the problem is still there... I seem to have a lot of the same links that come up again and again.. hxxp://www.epoclick.com/?ad=1296445353, or smartbiz, sometimes the yellow pages as well as local real estate listings.. By the way, I don't necessarily have to be on Google for this to happen to me..

I use Firefox web browser version 3.6.13. and I'm currently running the ESET online scanner.. it's at 95% and it says that it hasn't found any threats and I don't expect it to say any different at 100%. I'm no computer tech, but I have a fair understanding of how to do most things. I don't want to run any further programs or scans without the help of someone who really knows what they're doing. I may not understand everything you want me to do, so please be patient with me. I would sincerely appreciate someone's help!


DDS (Ver_10-12-12.02) - NTFSx86
Run by Leather at 19:12:27.48 on Tue 02/08/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.768 [GMT -5:00]

AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Leather\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x5\programs\WPLauncher.hta
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SEH: MCOEShellHook Class: {b9e618a2-a4fe-11d4-83c2-005004636c96} - c:\program files\metamail inc\metamail reader\OESHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leather\applic~1\mozilla\firefox\profiles\tqtaj1ig.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-30 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-30 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-18 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-30 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-30 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-10-30 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-9 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110207.001\IDSXpx86.sys [2011-2-7 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110208.002\NAVENG.SYS [2011-2-8 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110208.002\NAVEX15.SYS [2011-2-8 1360760]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-10-9 16968]

=============== Created Last 30 ================


==================== Find3M ====================

2011-01-03 01:50:45 2 --shatr- c:\windows\winstart.bat
2010-12-29 05:58:54 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-12-29 05:57:59 88 --sh--r- c:\docume~1\alluse~1\applic~1\9A4B226692.sys
2010-12-12 22:11:28 1152 ----a-w- c:\windows\system32\windrv.sys
2010-12-05 05:35:19 53248 ----a-w- c:\windows\PalmDevC.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 19:13:13.64 ===============

Attached Files


Edited by Orange Blossom, 08 February 2011 - 11:35 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 14 February 2011 - 08:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 February 2011 - 01:09 PM

I'm here, I'm here! I will not add or remove anything.. I'll be waiting to hear from you to fix this problem.. it's making me insane..

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 15 February 2011 - 04:34 PM

Reinstallation fixes most problems so let's head for the Master Boot Record to see if that's been infected

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 16 February 2011 - 04:23 PM

Please see below for the log you requested. In your reply, you mentioned that re installation usually fixes the problem. If you're referring to Windows re installation, I've tried this on 2 occasions.. the details are in my original post.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 153):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7627000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF74A2000 atapi.sys
0xF7647000 disk.sys
0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7482000 fltmgr.sys
0xF742C000 SYMDS.SYS
0xF741A000 sr.sys
0xF786A000 SYMEFA.SYS
0xF7405000 drvmcdb.sys
0xF7717000 PxHelp20.sys
0xF7853000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF795A000 NDIS.sys
0xF7839000 Mup.sys
0xF7567000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8B40000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB8B2C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8AF3000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xF7797000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8ACF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8A6E000 \SystemRoot\system32\DRIVERS\ar5211.sys
0xB8838000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB8814000 \SystemRoot\system32\drivers\portcls.sys
0xF7557000 \SystemRoot\system32\drivers\drmk.sys
0xB87F1000 \SystemRoot\system32\drivers\ks.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\Tvs.sys
0xF7547000 \SystemRoot\system32\DRIVERS\wowxt_kern_i386.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\tsxt_kern_i386.sys
0xB86EC000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF77DF000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA7E8000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7537000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB86D3000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7527000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7807000 \SystemRoot\system32\drivers\pfc.sys
0xF7817000 \SystemRoot\system32\drivers\iviaspi.sys
0xF79B3000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF7517000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7507000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF773F000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF774F000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB9EA3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF74F7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7D4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB866C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA7A0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA790000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF776F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB85BB000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA780000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF777F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF778F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA770000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79B9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB855D000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7C0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA760000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA730000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79BD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA8464000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF79C1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A80000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C5000 \SystemRoot\System32\Drivers\Beep.SYS
0xF781F000 \SystemRoot\system32\drivers\ssrtln.sys
0xF7737000 \SystemRoot\System32\drivers\vga.sys
0xF79C9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79CD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA8403000 \SystemRoot\System32\Drivers\meiudf.sys
0xA83F2000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB86C3000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB86B3000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7933000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA83DF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8386000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA832F000 \SystemRoot\System32\Drivers\N360\0403000.005\SYMTDI.SYS
0xA8309000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA710000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA82E4000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA828C000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110215.001\IDSxpx86.sys
0xA8264000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8242000 \SystemRoot\System32\drivers\afd.sys
0xF7677000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7947000 \SystemRoot\System32\Drivers\TPwSav.sys
0xA8223000 \SystemRoot\system32\drivers\N360\0403000.005\Ironx86.SYS
0xF79D3000 \SystemRoot\System32\Drivers\SSIoMngr.sys
0xF79D7000 \SystemRoot\System32\Drivers\EKIoMngr.sys
0xF7687000 \SystemRoot\system32\drivers\N360\0403000.005\SRTSPX.SYS
0xA8158000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA80E8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7697000 \SystemRoot\System32\Drivers\Fips.SYS
0xA808A000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA806D000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA7FEE000 \SystemRoot\system32\drivers\N360\0403000.005\ccHPx86.sys
0xA7F42000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8539000 \SystemRoot\System32\drivers\Dxapi.sys
0xF775F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A7F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF068000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA8213000 \SystemRoot\system32\drivers\drvnddm.sys
0xF79FF000 \??\C:\WINDOWS\system32\drivers\TBiosDrv.sys
0xBA0BB000 \SystemRoot\system32\dla\tfsndres.sys
0xA7D74000 \SystemRoot\system32\dla\tfsnifs.sys
0xA7E9A000 \SystemRoot\system32\dla\tfsnopio.sys
0xF7A03000 \SystemRoot\system32\dla\tfsnpool.sys
0xA7EEA000 \SystemRoot\system32\dla\tfsnboio.sys
0xA81F3000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA0B8000 \SystemRoot\system32\dla\tfsndrct.sys
0xA7D47000 \SystemRoot\system32\dla\tfsnudf.sys
0xA7D2E000 \SystemRoot\system32\dla\tfsnudfa.sys
0xA7D9A000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
0xA7D8E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7D1A000 \SystemRoot\system32\DRIVERS\netdevio.sys
0xA7AA9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA79CC000 \SystemRoot\system32\drivers\wdmaud.sys
0xA7BB6000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7B0E000 \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS
0xA7770000 \SystemRoot\system32\DRIVERS\srv.sys
0xA722F000 \SystemRoot\System32\Drivers\HTTP.sys
0xA71D8000 \SystemRoot\System32\Drivers\N360\0403000.005\SRTSP.SYS
0xA7065000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110216.004\NAVEX15.SYS
0xA7051000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110216.004\NAVENG.SYS
0xA6F41000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 29):
0 System Idle Process
4 System
632 C:\WINDOWS\system32\smss.exe
696 csrss.exe
720 C:\WINDOWS\system32\winlogon.exe
764 C:\WINDOWS\system32\services.exe
776 C:\WINDOWS\system32\lsass.exe
948 C:\WINDOWS\system32\svchost.exe
996 svchost.exe
1056 C:\WINDOWS\system32\svchost.exe
1228 C:\WINDOWS\system32\acs.exe
1256 svchost.exe
1300 svchost.exe
1532 C:\WINDOWS\explorer.exe
1692 C:\WINDOWS\system32\spoolsv.exe
1768 svchost.exe
1872 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
1988 C:\WINDOWS\system32\DVDRAMSV.exe
2032 C:\Program Files\Java\jre6\bin\jqs.exe
200 C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
392 C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
416 wdfmgr.exe
540 C:\WINDOWS\system32\ctfmon.exe
300 C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
2292 alg.exe
2620 C:\WINDOWS\system32\svchost.exe
1468 C:\Program Files\Mozilla Firefox\firefox.exe
492 C:\Program Files\Mozilla Firefox\plugin-container.exe
2884 C:\Documents and Settings\Leather\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541080G9AT00, Rev: MB4OA60A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 16 February 2011 - 07:43 PM

Nope, that's fine. Please run OTL and let's have a look at this in more detail

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 16 February 2011 - 09:35 PM

This is the OTL txt:

OTL logfile created on: 2/16/2011 9:27:58 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Leather\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.05 Gb Free Space | 75.21% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Leather | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Leather\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\system32\acs.exe ()
PRC - C:\WINDOWS\system32\DVDRAMSV.exe (Matsubleepa Electric Industrial Co., Ltd.)
PRC - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Leather\My Documents\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\asoehook.dll (Symantec Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\microsoft.vc90.crt\msvcr90.dll (Microsoft Corporation)
MOD - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\microsoft.vc90.crt\msvcp90.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (N360) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe (Symantec Corporation)
SRV - (CFSvcs) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe ()
SRV - (DVD-RAM_Service) -- C:\WINDOWS\system32\DVDRAMSV.exe (Matsubleepa Electric Industrial Co., Ltd.)
SRV - (Swupdtmr) -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe ()


========== Driver Services (SafeList) ==========

DRV - (hitmanpro35) -- C:\WINDOWS\system32\drivers\hitmanpro35.sys ()
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110216.004\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110216.004\NAVENG.SYS (Symantec Corporation)
DRV - (PalmUSBD) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys (PalmSource, Inc.)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110215.001\IDSXpx86.sys (Symantec Corporation)
DRV - (CdaC15BA) -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS ()
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (MDC8021X) AEGIS Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\mdc8021x.sys (Meetinghouse Data Communications)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS (Symantec Corporation)
DRV - (ccHP) -- C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS (Symantec Corporation)
DRV - (SrvcSSIOMngr) -- C:\WINDOWS\system32\drivers\SSIOMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (SrvcEKIOMngr) -- C:\WINDOWS\system32\drivers\EKIOMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (Tvs) -- C:\WINDOWS\system32\drivers\Tvs.sys (TOSHIBA Corporation)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (TPwSav) -- C:\WINDOWS\system32\drivers\TPwSav.sys (TOSHIBA )
DRV - (meiudf) -- C:\WINDOWS\system32\drivers\meiudf.sys (Matsubleepa Electric Industrial Co.,Ltd.)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (Pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (TBiosDrv) -- C:\WINDOWS\system32\drivers\tbiosdrv.sys ()
DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.2.1
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.13
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/10/10 07:55:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/10/10 10:37:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/10/09 14:14:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/12/13 20:10:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/31 10:44:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/27 22:01:34 | 000,000,000 | ---D | M]

[2010/11/05 23:07:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Leather\Application Data\Mozilla\Extensions
[2010/11/05 23:07:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Leather\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2011/01/31 19:31:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Leather\Application Data\Mozilla\Firefox\Profiles\tqtaj1ig.default\extensions
[2010/12/28 14:11:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Leather\Application Data\Mozilla\Firefox\Profiles\tqtaj1ig.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/31 19:31:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/13 20:33:44 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/12/13 20:11:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/27 22:00:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/10/09 14:14:33 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\COFFPLGN
[2010/10/10 10:37:57 | 000,000,000 | ---D | M] (Norton IPS) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPLGN
[2010/12/13 20:10:51 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/12/13 20:33:41 | 000,025,048 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/12/13 20:33:42 | 000,140,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/12/13 20:33:47 | 000,066,520 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/11/06 11:37:34 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/10/12 14:18:37 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/10/12 14:18:37 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/10/12 14:18:37 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/10/12 14:18:37 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/10/12 14:18:37 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/11/05 23:07:26 | 000,002,469 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\safesearch.xml
[2010/10/12 14:18:37 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/10/12 14:18:37 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [UnHackMe Monitor] File not found
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.65.44 213.109.75.130
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Leather\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Leather\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B9E618A2-A4FE-11D4-83C2-005004636C96} - C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll (Metamail Corp.)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2011/01/02 21:15:29 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/16 14:44:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2011/02/16 14:44:51 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Shrink
[2011/02/16 14:44:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DVD Shrink
[2011/02/07 19:25:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\Application Data\Media Player Classic
[2011/02/07 19:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\Start Menu\Programs\XP Codec Pack 2.5.1
[2011/02/07 19:13:39 | 000,000,000 | ---D | C] -- C:\Program Files\XP Codec Pack
[2011/02/07 18:52:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\Local Settings\Application Data\WMTools Downloaded Files
[2011/01/31 17:31:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Native Instruments
[2011/01/31 17:30:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Native Instruments
[2011/01/31 15:04:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\My Documents\Virus Fixes
[2011/01/31 14:50:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\Application Data\dvdcss
[2011/01/30 22:09:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\Start Menu\Programs\Internet Explorer
[2011/01/30 22:08:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Leather\Recent
[2011/01/30 21:03:32 | 000,000,000 | ---D | C] -- C:\682c2af0d0ebcf4316
[2011/01/30 18:31:51 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2011/01/25 18:16:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\My Documents\Blue Fox
[2011/01/24 18:04:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\My Documents\Main Man
[2011/01/20 00:19:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Palm
[2011/01/18 17:29:16 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/01/18 17:28:52 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/01/17 22:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leather\Local Settings\Application Data\Identities
[2004/11/24 14:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/16 14:44:53 | 000,000,678 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\DVD Shrink 3.2.lnk
[2011/02/16 14:39:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/16 14:39:11 | 1600,638,976 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/10 20:46:02 | 000,382,040 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\INTRO1.mp3
[2011/02/10 20:15:08 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Leather\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/10 20:05:33 | 000,221,962 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\clip2.mp3
[2011/02/08 23:38:11 | 000,175,150 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\clip20.mp3
[2011/02/08 22:59:09 | 000,117,472 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\clip1.mp3
[2011/02/08 22:13:02 | 000,342,334 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\CLAP2.mp3
[2011/02/08 20:47:46 | 000,480,679 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\CLAP.mp3
[2011/02/08 19:11:05 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Leather\defogger_reenable
[2011/02/07 15:12:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/01 16:29:31 | 000,022,044 | ---- | M] () -- C:\Documents and Settings\Leather\My Documents\bookmarks.html
[2011/01/30 21:45:46 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/01/28 01:30:16 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\Notebook Maximizer.LNK
[2011/01/24 18:09:47 | 000,001,865 | ---- | M] () -- C:\Documents and Settings\Leather\Desktop\RecordNow!.lnk
[2011/01/19 12:42:12 | 000,172,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/18 17:30:27 | 000,000,535 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/16 14:44:53 | 000,000,678 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\DVD Shrink 3.2.lnk
[2011/02/10 20:45:57 | 000,382,040 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\INTRO1.mp3
[2011/02/08 23:35:50 | 000,175,150 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\clip20.mp3
[2011/02/08 23:19:42 | 000,221,962 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\clip2.mp3
[2011/02/08 22:59:07 | 000,117,472 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\clip1.mp3
[2011/02/08 22:12:57 | 000,342,334 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\CLAP2.mp3
[2011/02/08 20:47:42 | 000,480,679 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\CLAP.mp3
[2011/02/08 19:11:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Leather\defogger_reenable
[2011/02/07 19:13:53 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\ac3filter.acm
[2011/02/01 16:29:31 | 000,022,044 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\bookmarks.html
[2011/01/31 20:33:29 | 000,000,644 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\Audacity.lnk
[2011/01/30 22:06:51 | 1600,638,976 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/30 21:45:46 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/01/27 20:24:49 | 000,218,624 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\LV cards.doc
[2011/01/27 20:22:48 | 000,385,536 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\Doc2.doc
[2011/01/27 20:22:48 | 000,332,288 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\Doc.doc
[2011/01/27 20:22:48 | 000,084,480 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\Doc1.doc
[2011/01/27 20:22:35 | 000,147,456 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\BLACKHEART_RECORDS_BIBLE.doc
[2011/01/25 23:23:38 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\Notebook Maximizer.LNK
[2011/01/24 18:09:47 | 000,001,865 | ---- | C] () -- C:\Documents and Settings\Leather\Desktop\RecordNow!.lnk
[2011/01/24 17:54:53 | 000,109,276 | ---- | C] () -- C:\Documents and Settings\Leather\My Documents\10Pound_Slimdown_Workout_Plan.pdf
[2010/12/29 00:56:40 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\9A4B226692.sys
[2010/12/29 00:56:38 | 000,002,828 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/12/28 23:36:52 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/12/12 17:11:28 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2010/12/05 01:14:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2010/10/27 22:46:52 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Leather\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/09 21:34:06 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/10/09 18:04:25 | 000,008,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS
[2010/10/09 02:53:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/10/09 02:53:29 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/19 10:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 12:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 12:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 12:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 12:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 11:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2005/05/23 19:32:31 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/05/23 17:14:59 | 000,034,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\WOWXT_kern_i386.sys
[2005/05/23 17:14:59 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/05/23 16:55:08 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/05/23 16:55:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/05/23 16:55:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/05/23 16:55:08 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/05/23 16:55:07 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/05/23 16:55:07 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/05/23 15:52:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/05/23 15:52:12 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\EBLib.DLL
[2005/05/23 15:45:19 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/05/23 15:43:04 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/05/23 15:43:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/05/23 15:43:04 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/05/23 15:43:04 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/05/23 15:33:26 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/05/23 12:01:05 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/23 11:51:15 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/05/23 11:32:45 | 000,000,347 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/05/23 04:46:55 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/04/25 15:44:04 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2005/04/20 22:38:14 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\HWS_Ctrl.dll
[2005/04/20 22:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\EKECioCtl.dll
[2005/03/30 16:50:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\SPCtl.dll
[2005/02/28 17:28:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/10/03 12:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2004/01/13 21:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/01/18 17:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2010/10/09 21:12:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/12/05 00:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2010/12/12 21:32:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/10/09 03:26:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2011/01/31 17:31:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Native Instruments
[2010/10/17 11:07:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/12/05 00:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Leather\Application Data\HotSync
[2005/05/23 16:24:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Leather\Application Data\InterTrust
[2010/11/02 21:57:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Leather\Application Data\InterVideo
[2010/10/09 21:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Leather\Application Data\Spyware Terminator
[2005/05/23 16:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Leather\Application Data\toshiba

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >



This is the Extras.txt:

OTL Extras logfile created on: 2/16/2011 9:27:58 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Leather\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.05 Gb Free Space | 75.21% Space Free | Partition Type: NTFS

Computer Name: LAPTOP | User Name: Leather | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 23
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A57482F-BEBC-47E4-ADA1-6302403C7E50}" = TOSHIBA Accessibility
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = TOSHIBA SD Memory Card Format
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility
"{7900D3A6-A9E8-4954-ACCB-AB15867978BF}" = TOSHIBA Hotkey Utility
"{80977342-27E8-4FF7-8B6A-D8D89461DA7F}" = TouchPad On/Off Utility
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}" = Roxio Burn Engine
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE}" = TOSHIBA Power Saver
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{BA561482-C49D-4687-A61C-96236C1688F0}" = ArcSoft Software Suite
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{BE3F89C0-42D5-11D5-A40A-00105AC8331A}" = Toshiba Registration and Metamail Trust Architecture
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C45F4811-31D5-4786-801D-F79CD06EDD85}" = SD Secure Module
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA}" = TIxx21/x515
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"{FF8157AA-F640-45BD-B7C2-BAA1016B267A}" = palmOne
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"America Online us" = America Online (Choose which version to remove)
"AT&T Connection Services Software" = AT&T Connection Services Manager
"Audacity_is1" = Audacity 1.2.6
"CCleaner" = CCleaner
"DVD Shrink_is1" = DVD Shrink 3.2
"Fn-esse" = TOSHIBA Fn-esse
"ie8" = Windows Internet Explorer 8
"InstallShield_{3A57482F-BEBC-47E4-ADA1-6302403C7E50}" = TOSHIBA Accessibility
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{7900D3A6-A9E8-4954-ACCB-AB15867978BF}" = TOSHIBA Hotkey Utility
"InstallShield_{80977342-27E8-4FF7-8B6A-D8D89461DA7F}" = TouchPad On/Off Utility
"InstallShield_{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE}" = TOSHIBA Power Saver
"InstallShield_{F47B2DF8-35EC-4B51-B5F2-0E03EF5F51DA}" = Texas Instruments PCIxx21/x515 drivers.
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"N360" = Norton Security Suite
"Notebook_Maximizer" = Notebook Maximizer
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"PC Image Editor" = PC Image Editor
"Port Magic" = Pure Networks Port Magic
"QuickTime" = QuickTime
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Toshiba Tbiosdrv Driver" = Toshiba Tbiosdrv Driver
"VLC media player" = VLC media player 1.1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"XP Codec Pack" = XP Codec Pack

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/9/2010 5:46:23 PM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/9/2010 5:46:38 PM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/9/2010 5:48:11 PM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/9/2010 5:48:11 PM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 10/30/2010 6:33:51 PM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 11/17/2010 7:21:38 PM | Computer Name = LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3951, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 1/23/2011 7:36:25 PM | Computer Name = LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application quickinstall.exe, version 1.1.1.0, faulting module
quickinstall.exe, version 1.1.1.0, fault address 0x00022c78.

Error - 2/12/2011 12:58:24 AM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 2/12/2011 12:58:24 AM | Computer Name = LAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 2/12/2011 12:59:05 AM | Computer Name = LAPTOP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

[ System Events ]
Error - 2/14/2011 10:49:26 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the WZCSVC service.

Error - 2/15/2011 4:28:07 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the N360 service.

Error - 2/16/2011 1:43:09 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Netman service.

Error - 2/16/2011 1:43:11 AM | Computer Name = LAPTOP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/16/2011 1:43:11 AM | Computer Name = LAPTOP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/16/2011 1:43:11 AM | Computer Name = LAPTOP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/16/2011 1:43:11 AM | Computer Name = LAPTOP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2/16/2011 1:43:11 AM | Computer Name = LAPTOP | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/16/2011 1:43:11 AM | Computer Name = LAPTOP | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 2/16/2011 7:24:57 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the N360 service.


< End of report >

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 17 February 2011 - 05:52 PM

Open OTL, we'll just do a clean-up. Nothing found yet.

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Now let's go searching for the problem

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#9 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 February 2011 - 03:43 PM

I will run OTL as soon I get home.. no program that I have used have but I thought I would let you know some of the pop ups that keep, well popping up. Maybe if you see what they are, it will be helpful in figuring out what this virus is and where it's hiding.

This is the one that comes up ALL the time:
http://premium_.s3.amazonaws.com/index.html?AWSAccessKeyId=AKIAIKDZBVZT6ABSN6MA&Expires=1298061940&Signature=G0rDcLbUFSyL1SuPutvt4tTy%2BOM%3D

this is the other that comes up a lot lately..
http://www.gossipcenter.com/kim-kardashian/kim-kardashian-fragrance-launch-foxy-402036?adv=miva&utm_source=MIVA&utm_medium=CPC&utm_campaign=%20Kim%20Kardashian%20Fragrance%20Launch%20Foxy%20%28GC%29%20.005

#10 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 18 February 2011 - 05:45 PM

OK.. I just ran OTL.. however, your last post said to let the program run unhindered.. as soon as I pressed RUN FIX it said run fix complete, press ok for log. So, I'm not sure if it worked properly.. I was under the impression from your post that it would take a minute or so to work.

I already have Malware Bytes installed.. I've run a full scan before and it never found anything, but I will run it again. Should I uninstall the one I have and reinstall it again?

Also, you didn't mention whether or not I should be in safe mode while running any of these scans.. please let me know so I can get you the most accurate results possible. I will wait for your response before I run malware bytes..

thanks..

Here is the log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.20.6 log created on 02182011_172455

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 18 February 2011 - 08:16 PM

You should always run these in normal mode so please run the full scan with MBAM in normal mode. :thumbup2:


Can you then run TDSSKiller


  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#12 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 February 2011 - 07:43 PM

I've run MBAM, but none of the things you described in your last post happened. I made sure the boxes for both drives were checked off and performed a full scan. Instead of seeing the window that you described when it was finished, a box opened that said: The scan completed successfully. No malicious items were detected. A log file has been saved to the logs folder. This is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5813

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2011 4:37:08 PM
mbam-log-2011-02-19 (16-37-08).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 201623
Time elapsed: 26 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Then I ran TDS Killer.. it also found nothing. Here is the log;

2011/02/19 19:42:02.0406 3836 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/19 19:42:04.0406 3836 ================================================================================
2011/02/19 19:42:04.0406 3836 SystemInfo:
2011/02/19 19:42:04.0406 3836
2011/02/19 19:42:04.0406 3836 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/19 19:42:04.0406 3836 Product type: Workstation
2011/02/19 19:42:04.0406 3836 ComputerName: LAPTOP
2011/02/19 19:42:04.0406 3836 UserName: Leather
2011/02/19 19:42:04.0406 3836 Windows directory: C:\WINDOWS
2011/02/19 19:42:04.0406 3836 System windows directory: C:\WINDOWS
2011/02/19 19:42:04.0406 3836 Processor architecture: Intel x86
2011/02/19 19:42:04.0406 3836 Number of processors: 1
2011/02/19 19:42:04.0406 3836 Page size: 0x1000
2011/02/19 19:42:04.0406 3836 Boot type: Normal boot
2011/02/19 19:42:04.0406 3836 ================================================================================
2011/02/19 19:42:05.0031 3836 Initialize success
2011/02/19 19:42:08.0656 1188 ================================================================================
2011/02/19 19:42:08.0656 1188 Scan started
2011/02/19 19:42:08.0656 1188 Mode: Manual;
2011/02/19 19:42:08.0656 1188 ================================================================================
2011/02/19 19:42:10.0031 1188 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/19 19:42:10.0234 1188 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/02/19 19:42:10.0328 1188 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/19 19:42:10.0421 1188 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/19 19:42:10.0531 1188 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/02/19 19:42:10.0781 1188 ALCXWDM (95aa37bec6c72c277c2caeaee736dd2d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/02/19 19:42:10.0984 1188 ApfiltrService (87ec3fdcaf6c5052e2e72b861dedd3d3) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/02/19 19:42:11.0046 1188 AR5211 (37e1a3630872b3ccaa45e2468f437df0) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/02/19 19:42:11.0125 1188 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/02/19 19:42:11.0250 1188 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/19 19:42:11.0281 1188 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/19 19:42:11.0343 1188 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/19 19:42:11.0390 1188 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/19 19:42:11.0453 1188 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/19 19:42:11.0625 1188 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys
2011/02/19 19:42:11.0781 1188 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/19 19:42:11.0890 1188 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys
2011/02/19 19:42:11.0968 1188 CdaC15BA (82c4c6a2343b592c4fd590f625a724a9) C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2011/02/19 19:42:12.0015 1188 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/19 19:42:12.0078 1188 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/19 19:42:12.0140 1188 Cdr4_xp (c269488c6432b58922c5a3a5fa6ee119) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/02/19 19:42:12.0218 1188 Cdralw2k (baced3e0135a880d5249b09000aee285) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/02/19 19:42:12.0250 1188 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/19 19:42:12.0328 1188 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/19 19:42:12.0359 1188 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/19 19:42:12.0484 1188 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/19 19:42:12.0562 1188 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/19 19:42:12.0625 1188 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/19 19:42:12.0656 1188 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/19 19:42:12.0703 1188 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/19 19:42:12.0812 1188 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/19 19:42:12.0890 1188 drvmcdb (f41619ae216b51d68dda163805eefaa9) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/02/19 19:42:12.0953 1188 drvnddm (2ff629c1c443e25d0149b9dfb77e43a8) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/02/19 19:42:13.0078 1188 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/19 19:42:13.0140 1188 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/02/19 19:42:13.0187 1188 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/19 19:42:13.0250 1188 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/02/19 19:42:13.0281 1188 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/19 19:42:13.0312 1188 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/19 19:42:13.0343 1188 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/19 19:42:13.0390 1188 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/19 19:42:13.0437 1188 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/19 19:42:13.0468 1188 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/19 19:42:13.0562 1188 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/19 19:42:13.0625 1188 hitmanpro35 (30b90793a568281bef70fa57dde305a2) C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011/02/19 19:42:13.0703 1188 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/19 19:42:13.0796 1188 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/19 19:42:13.0875 1188 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/19 19:42:14.0062 1188 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110218.003\IDSxpx86.sys
2011/02/19 19:42:14.0156 1188 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/19 19:42:14.0234 1188 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/19 19:42:14.0265 1188 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/19 19:42:14.0312 1188 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/19 19:42:14.0359 1188 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/19 19:42:14.0406 1188 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/19 19:42:14.0453 1188 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/19 19:42:14.0484 1188 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/19 19:42:14.0531 1188 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/19 19:42:14.0562 1188 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/19 19:42:14.0609 1188 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/02/19 19:42:14.0640 1188 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/19 19:42:14.0687 1188 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/19 19:42:14.0734 1188 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/19 19:42:14.0875 1188 MDC8021X (8fee53c104223973ed9919936d9cd156) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
2011/02/19 19:42:14.0921 1188 meiudf (63351a2b051dfc4e7bb41319c8c1ace4) C:\WINDOWS\system32\Drivers\meiudf.sys
2011/02/19 19:42:14.0984 1188 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/19 19:42:15.0031 1188 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/19 19:42:15.0062 1188 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/19 19:42:15.0093 1188 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/19 19:42:15.0140 1188 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/19 19:42:15.0203 1188 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/19 19:42:15.0281 1188 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/19 19:42:15.0328 1188 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/19 19:42:15.0406 1188 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/19 19:42:15.0437 1188 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/19 19:42:15.0468 1188 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/19 19:42:15.0484 1188 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/19 19:42:15.0625 1188 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110219.002\NAVENG.SYS
2011/02/19 19:42:15.0718 1188 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110219.002\NAVEX15.SYS
2011/02/19 19:42:15.0859 1188 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/19 19:42:15.0890 1188 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/19 19:42:15.0937 1188 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/19 19:42:15.0968 1188 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/19 19:42:16.0015 1188 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/19 19:42:16.0078 1188 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/19 19:42:16.0125 1188 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/19 19:42:16.0187 1188 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/02/19 19:42:16.0250 1188 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/02/19 19:42:16.0281 1188 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/19 19:42:16.0343 1188 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/19 19:42:16.0453 1188 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/19 19:42:16.0484 1188 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/19 19:42:16.0515 1188 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/19 19:42:16.0546 1188 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/02/19 19:42:16.0625 1188 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2011/02/19 19:42:16.0656 1188 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/02/19 19:42:16.0687 1188 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/19 19:42:16.0734 1188 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/19 19:42:16.0765 1188 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/19 19:42:16.0843 1188 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/19 19:42:16.0875 1188 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/02/19 19:42:17.0062 1188 Pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2011/02/19 19:42:17.0109 1188 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/19 19:42:17.0156 1188 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/19 19:42:17.0203 1188 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/19 19:42:17.0234 1188 PxHelp20 (f3a3b00666a40c6914b7b2864f7dc1c0) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/19 19:42:17.0437 1188 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/19 19:42:17.0500 1188 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/19 19:42:17.0515 1188 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/19 19:42:17.0562 1188 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/19 19:42:17.0609 1188 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/19 19:42:17.0656 1188 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/19 19:42:17.0703 1188 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/19 19:42:17.0765 1188 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/19 19:42:17.0875 1188 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/02/19 19:42:17.0921 1188 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/19 19:42:17.0968 1188 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/02/19 19:42:18.0000 1188 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/02/19 19:42:18.0046 1188 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/02/19 19:42:18.0140 1188 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/19 19:42:18.0250 1188 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/19 19:42:18.0296 1188 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/19 19:42:18.0406 1188 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS
2011/02/19 19:42:18.0468 1188 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS
2011/02/19 19:42:18.0546 1188 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/19 19:42:18.0609 1188 SrvcEKIOMngr (3b01a9316255cdd17f9c8e79aa573406) C:\WINDOWS\system32\Drivers\EKIoMngr.sys
2011/02/19 19:42:18.0640 1188 SrvcSSIOMngr (79b7af340d55861df1d69e7bac975fcc) C:\WINDOWS\system32\Drivers\SSIoMngr.sys
2011/02/19 19:42:18.0671 1188 sscdbhk5 (1cbd1b58a32de97899f5290b05f856db) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/02/19 19:42:18.0703 1188 ssrtln (7fb07ac152d7a87e66204860002bd9a4) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/02/19 19:42:18.0734 1188 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/19 19:42:18.0781 1188 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/19 19:42:18.0875 1188 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS
2011/02/19 19:42:18.0968 1188 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS
2011/02/19 19:42:19.0031 1188 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/02/19 19:42:19.0140 1188 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS
2011/02/19 19:42:19.0187 1188 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS
2011/02/19 19:42:19.0296 1188 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/19 19:42:19.0343 1188 TBiosDrv (eeca2b57545e7b7be949b5e70e31444f) C:\WINDOWS\system32\drivers\TBiosDrv.sys
2011/02/19 19:42:19.0437 1188 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/19 19:42:19.0484 1188 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/19 19:42:19.0515 1188 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/19 19:42:19.0546 1188 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/19 19:42:19.0609 1188 tfsnboio (2da3ca4022abb0802de7eeda574e78d6) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/02/19 19:42:19.0625 1188 tfsncofs (c8d6928759b77701c21dc90ad61197f2) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/02/19 19:42:19.0656 1188 tfsndrct (bacdef5510fa643683cddca418e49446) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/02/19 19:42:19.0687 1188 tfsndres (3fc9f390fac563c3d3910d540adbd408) C:\WINDOWS\system32\dla\tfsndres.sys
2011/02/19 19:42:19.0718 1188 tfsnifs (6aef3ec0b64689536891a9b96e9d7b82) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/02/19 19:42:19.0781 1188 tfsnopio (7239873a72dd456f6e74e6987cdb9687) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/02/19 19:42:19.0843 1188 tfsnpool (b78631e3593ddd76a4a8ba7cb8e32302) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/02/19 19:42:19.0859 1188 tfsnudf (9e8b4abb93e5784fc4e5d3202566cc7a) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/02/19 19:42:19.0890 1188 tfsnudfa (056fa0a11ba4cd688e1e40e48ffee921) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/02/19 19:42:19.0937 1188 tifm21 (2448935e1cf84b0341a24a17908c7311) C:\WINDOWS\system32\drivers\tifm21.sys
2011/02/19 19:42:20.0015 1188 TPwSav (f26e5110cc02db2ec90ff31f33106add) C:\WINDOWS\system32\Drivers\TPwSav.sys
2011/02/19 19:42:20.0109 1188 Tvs (7bc87d123f504d161693f672cfe99ec4) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2011/02/19 19:42:20.0171 1188 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/19 19:42:20.0250 1188 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/19 19:42:20.0312 1188 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/19 19:42:20.0343 1188 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/19 19:42:20.0390 1188 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/19 19:42:20.0421 1188 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/19 19:42:20.0468 1188 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/19 19:42:20.0500 1188 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/19 19:42:20.0562 1188 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/19 19:42:20.0718 1188 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/19 19:42:20.0875 1188 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/19 19:42:20.0953 1188 yukonwxp (e279c4e1287751dffa0a1f3ec4097491) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/02/19 19:42:21.0140 1188 ================================================================================
2011/02/19 19:42:21.0140 1188 Scan finished
2011/02/19 19:42:21.0140 1188 ================================================================================

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 19 February 2011 - 08:22 PM

So, by the look of it, we have the redirector only present.

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

Posted Image
m0le is a proud member of UNITE

#14 Bluefox76

Bluefox76
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 February 2011 - 08:27 PM

Windows IP Configuration



Host Name . . . . . . . . . . . . : Laptop

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.nj.comcast.net.



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : hsd1.nj.comcast.net.

Description . . . . . . . . . . . : Atheros AR5005G Wireless Network Adapter

Physical Address. . . . . . . . . : 00-11-F5-77-02-51

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.104

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.87.64.150

68.87.75.198

Lease Obtained. . . . . . . . . . : Saturday, February 19, 2011 7:34:08 PM

Lease Expires . . . . . . . . . . : Sunday, February 20, 2011 7:34:08 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller

Physical Address. . . . . . . . . : 00-0F-B0-8E-12-45

Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: google.com
Addresses: 72.14.204.147, 72.14.204.99, 72.14.204.103, 72.14.204.104

Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: yahoo.com
Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56
209.191.122.70



Pinging google.com [72.14.204.104] with 32 bytes of data:



Reply from 72.14.204.104: bytes=32 time=21ms TTL=53

Reply from 72.14.204.104: bytes=32 time=22ms TTL=53



Ping statistics for 72.14.204.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 21ms, Maximum = 22ms, Average = 21ms



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=55ms TTL=50

Reply from 209.191.122.70: bytes=32 time=57ms TTL=50



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 55ms, Maximum = 57ms, Average = 56ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 f5 77 02 51 ...... Atheros AR5005G Wireless Network Adapter - Packet Scheduler Miniport
0x3 ...00 0f b0 8e 12 45 ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.104 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.104 192.168.1.104 30
192.168.1.104 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.104 192.168.1.104 30
224.0.0.0 240.0.0.0 192.168.1.104 192.168.1.104 30
255.255.255.255 255.255.255.255 192.168.1.104 3 1
255.255.255.255 255.255.255.255 192.168.1.104 192.168.1.104 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 AM

Posted 19 February 2011 - 08:40 PM

Letís try to reset the router to its default configuration.
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you donít know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Now please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users