Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Shield Pro infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 th3d00d

th3d00d

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 08 July 2011 - 03:44 PM

Hello :)

Broni referred me here after trying some basic steps in this topic:

http://www.bleepingcomputer.com/forums/topic408341.html/

Yesterday my computer was infected with the Personal Shield Pro virus. No programs would work except IE, and my background image disappeared (turned blue). I followed the steps of running RKill and then MBAM which solved some issues, but my browser still redirected, and most programs are hidden.

I am unable to solve the problem in Safe Mode either. As soon as I launch MBAM the virus kicks back in (after running Rkill).

Here is my DDS log:

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Spencer Whipple at 15:02:20 on 2011-07-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.571 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uSearch Page = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\spence~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: amazon.ca\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{F753C1F1-4E83-46D3-8019-F68E13815234} : DhcpNameServer = 10.0.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-10 243152]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 216400]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-25 29584]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 1025352]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-5-6 30192]
S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2010-9-2 480128]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2010-9-2 1537024]
.
=============== Created Last 30 ================
.
2011-07-08 00:40:31 889344 ----a-w- c:\documents and settings\all users\application data\defender.exe
2011-07-07 21:19:57 0 ----a-w- c:\windows\Idametomivokit.bin
2011-07-07 21:19:56 -------- d-----w- c:\documents and settings\spencer whipple\local settings\application data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4}
2011-07-07 21:11:41 -------- d--h--w- c:\documents and settings\all users\application data\bJ01603AdDlO01603
2011-06-18 18:52:25 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2011-06-18 18:50:56 -------- d-----w- C:\Netgear
.
==================== Find3M ====================
.
2011-06-30 11:47:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-14 06:36:34 2829 ----a-w- c:\windows\War3Unin.pif
2011-05-14 06:36:34 139264 ----a-w- c:\windows\War3Unin.exe
2011-05-06 13:15:47 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 15:08:45.81 ===============

Thanks so much for your help! :)

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:57 PM

Posted 17 July 2011 - 11:21 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 12:15 PM

Dude! Glad to hear from ya!!! :)

K, please bear with me here; I might ask some questions that sound stupid but I'm going with the philosophy that it's better not to assume.

My computer has Ubuntu installed as a second OS which I've been using in the interim; I am unable to run any programs at all in Normal Mode in Windows

Can I complete these steps in Safe Mode (probably with Networking to access net)?

It is a massive relief to get some help here; I can see you guys are clearly swamped but one can't help but get a bit antsy, even knowing that you guys are over-worked do-gooders who, just as you say, have lives outside of saving my dumb butt! :)

Edited by th3d00d, 17 July 2011 - 12:47 PM.


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:57 PM

Posted 17 July 2011 - 01:08 PM

Hi!

Can I complete these steps in Safe Mode (probably with Networking to access net)?

Yes, if you can not complete them in Normal Mode, then please try to proceed with them in Safe Mode.

You will not be able to run RKU in Safe Mode, so you'll have to skip that step and proceed directly with the OTL scan.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 01:24 PM

Thanks ST!

Okay, OTL.txt log:

OTL logfile created on: 17/07/2011 2:15:18 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Spencer Whipple\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1012.88 Mb Total Physical Memory | 592.57 Mb Available Physical Memory | 58.50% Memory free
2.37 Gb Paging File | 2.07 Gb Available in Paging File | 87.17% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 20.00 Gb Total Space | 2.24 Gb Free Space | 11.22% Space Free | Partition Type: NTFS
Drive D: | 106.50 Gb Total Space | 28.77 Gb Free Space | 27.01% Space Free | Partition Type: NTFS

Computer Name: RAND | User Name: Spencer Whipple | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/17 14:14:36 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spencer Whipple\Desktop\OTL.exe
PRC - [2010/07/15 18:27:40 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/07/17 14:14:36 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spencer Whipple\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:11:58 | 000,071,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msacm32.dll
MOD - [2008/04/13 20:11:48 | 001,852,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\acgenral.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/05/30 11:33:54 | 001,025,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/07/20 16:19:22 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/15 18:28:23 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2007/07/26 19:03:46 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/06/20 14:30:18 | 000,079,168 | ---- | M] (Broadcom Corporation) [Auto | Stopped] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)


========== Driver Services (SafeList) ==========

DRV - [2011/05/06 09:15:47 | 000,243,152 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/15 18:27:44 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/03 08:01:52 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/07/06 20:57:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/12/10 18:15:34 | 000,480,128 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vvftav211.sys -- (vvftav211)
DRV - [2007/12/05 11:00:08 | 001,537,024 | ---- | M] (ZSMC.Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZS211.sys -- (ZSMC30x)
DRV - [2007/09/24 19:12:48 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2007/07/25 20:55:36 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/06/20 14:30:20 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Stopped] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6080506
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2011/05/10 09:00:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1AB7493D-C47E-4D65-9E3E-281963B85FA4}: C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4} [2011/07/07 17:19:56 | 000,000,000 | ---D | M]

[2011/02/01 21:59:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/22 12:31:56 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/08/19 21:12:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (no name) - {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..\Toolbar\WebBrowser: (no name) - {9BB815EB-3F9F-4E11-9150-CB70E29B40FC} - No CLSID value found.
O3 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Domino] C:\WINDOWS\Domino.exe ()
O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe (ZSMCSNAP)
O4 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006..\Run: [Security Protection] C:\Documents and Settings\All Users\Application Data\defender.exe (G Data)
O4 - Startup: C:\Documents and Settings\Spencer Whipple\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..Trusted Domains: amazon.ca ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Spencer Whipple\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Spencer Whipple\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/06/18 15:21:15 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\Shell - "" = AutoRun
O33 - MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\Shell\AutoRun\command - "" = F:\DigitalPhotoKeychain.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/17 14:14:35 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Spencer Whipple\Desktop\OTL.exe
[2011/07/08 15:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spencer Whipple\Desktop\gmer
[2011/07/08 15:02:14 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Spencer Whipple\Desktop\dds.scr
[2011/07/08 09:03:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spencer Whipple\Desktop\old logs
[2011/07/07 20:40:31 | 000,889,344 | ---- | C] (G Data) -- C:\Documents and Settings\All Users\Application Data\defender.exe
[2011/07/07 18:21:51 | 000,000,000 | ---D | C] -- d:\My Documents\Malwarebytes' Anti-Malware
[2011/07/07 18:20:49 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Spencer Whipple\Desktop\mbam-setup.exe
[2011/07/07 17:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4}
[2011/07/07 17:19:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Spencer Whipple\Recent
[2011/07/07 17:11:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\bJ01603AdDlO01603
[2011/07/06 07:51:23 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/07/06 07:51:19 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/06/18 14:52:25 | 000,049,904 | R--- | C] (Avanquest Software) -- C:\WINDOWS\System32\drivers\BVRPMPR5.SYS
[2011/06/18 14:50:56 | 000,000,000 | ---D | C] -- C:\Netgear
[2009/12/13 22:21:34 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Spencer Whipple\Application Data\pcouffin.sys
[14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2025/10/21 03:55:00 | 000,003,120 | ---- | M] () -- C:\WINDOWS\BQSHYJ2R.ocx
[2025/10/19 09:26:40 | 000,003,120 | ---- | M] () -- C:\WINDOWS\F9B5D4PH.ocx
[2025/10/17 14:58:19 | 000,003,120 | ---- | M] () -- C:\WINDOWS\VO63QJ2E.ocx
[2025/10/15 20:29:58 | 000,003,120 | ---- | M] () -- C:\WINDOWS\NWQNADHB.ocx
[2025/10/14 02:01:37 | 000,003,120 | ---- | M] () -- C:\WINDOWS\O83PPKBG.ocx
[2011/07/17 14:14:36 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spencer Whipple\Desktop\OTL.exe
[2011/07/17 14:12:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/17 13:06:22 | 000,015,332 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\42j47r2uj6aay41syi34k231865m558y2f
[2011/07/17 13:06:21 | 000,015,332 | -HS- | M] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\42j47r2uj6aay41syi34k231865m558y2f
[2011/07/17 13:06:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/08 17:41:57 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/08 15:12:00 | 000,293,977 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\gmer.zip
[2011/07/08 15:02:15 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Spencer Whipple\Desktop\dds.scr
[2011/07/08 14:24:14 | 000,157,184 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/08 09:15:52 | 001,008,041 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\rkill.scr
[2011/07/07 20:40:34 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malware Protection.lnk
[2011/07/07 20:40:31 | 000,889,344 | ---- | M] (G Data) -- C:\Documents and Settings\All Users\Application Data\defender.exe
[2011/07/07 20:18:45 | 000,369,085 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\MiniToolBox.exe
[2011/07/07 20:14:19 | 000,879,028 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\SecurityCheck.exe
[2011/07/07 18:21:56 | 000,000,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/07 18:20:49 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Spencer Whipple\Desktop\mbam-setup.exe
[2011/07/07 17:55:17 | 000,006,942 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Application Data\555E.12D
[2011/07/07 17:19:57 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tdorusigegobey.dat
[2011/07/07 17:19:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Idametomivokit.bin
[2011/07/07 09:23:04 | 079,377,509 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/07/06 07:51:27 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/06/30 07:47:02 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/29 03:04:30 | 000,442,888 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/29 03:04:30 | 000,072,154 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/28 23:43:49 | 000,017,471 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\bafor.odt
[2011/06/24 14:33:39 | 001,114,494 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke photo altered.bmp
[2011/06/23 23:24:43 | 001,577,838 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke photo old city.bmp
[2011/06/23 20:44:31 | 001,573,634 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke high level.bmp
[2011/06/23 20:42:51 | 001,114,494 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke photo.bmp
[2011/06/18 15:11:33 | 000,005,885 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\Router_Setup.html
[14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2025/10/21 03:55:00 | 000,003,120 | ---- | C] () -- C:\WINDOWS\BQSHYJ2R.ocx
[2025/10/19 09:26:40 | 000,003,120 | ---- | C] () -- C:\WINDOWS\F9B5D4PH.ocx
[2025/10/17 14:58:19 | 000,003,120 | ---- | C] () -- C:\WINDOWS\VO63QJ2E.ocx
[2025/10/15 20:29:58 | 000,003,120 | ---- | C] () -- C:\WINDOWS\NWQNADHB.ocx
[2025/10/14 02:01:37 | 000,003,120 | ---- | C] () -- C:\WINDOWS\O83PPKBG.ocx
[2011/07/08 17:42:00 | 000,015,332 | -HS- | C] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\42j47r2uj6aay41syi34k231865m558y2f
[2011/07/08 17:42:00 | 000,015,332 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\42j47r2uj6aay41syi34k231865m558y2f
[2011/07/08 15:11:58 | 000,293,977 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\gmer.zip
[2011/07/08 09:15:50 | 001,008,041 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\rkill.scr
[2011/07/08 07:42:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/07 20:40:33 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malware Protection.lnk
[2011/07/07 20:18:45 | 000,369,085 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\MiniToolBox.exe
[2011/07/07 20:14:16 | 000,879,028 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\SecurityCheck.exe
[2011/07/07 18:21:56 | 000,000,569 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/07 17:19:57 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tdorusigegobey.dat
[2011/07/07 17:19:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Idametomivokit.bin
[2011/07/07 17:13:47 | 000,006,942 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\555E.12D
[2011/06/28 23:26:34 | 000,017,471 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\bafor.odt
[2011/06/23 23:24:43 | 001,577,838 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke photo old city.bmp
[2011/06/23 23:16:13 | 001,114,494 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke photo altered.bmp
[2011/06/23 20:42:51 | 001,114,494 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke photo.bmp
[2011/06/23 20:36:50 | 001,573,634 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\sherbrooke high level.bmp
[2011/06/18 15:11:33 | 000,000,172 | R--- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\Router Login.url
[2011/06/18 15:11:31 | 000,005,885 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Desktop\Router_Setup.html
[2011/05/14 02:33:01 | 000,064,157 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2011/03/29 22:33:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\455599.ini
[2010/12/30 17:42:00 | 001,356,176 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/02 17:48:23 | 000,049,152 | ---- | C] () -- C:\WINDOWS\Domino.exe
[2010/09/02 17:48:07 | 000,217,088 | ---- | C] () -- C:\WINDOWS\amcap.exe
[2010/08/22 12:33:56 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/06/21 19:41:58 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\housecall.guid.cache
[2010/06/21 17:31:45 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/06/06 20:54:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2010/05/17 21:33:39 | 000,017,592 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/13 22:22:42 | 000,001,169 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\vso_ts_preview.xml
[2009/12/13 22:21:34 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\inst.exe
[2009/12/13 22:21:34 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\pcouffin.cat
[2009/12/13 22:21:34 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\pcouffin.inf
[2009/11/10 22:39:45 | 000,000,026 | ---- | C] () -- C:\WINDOWS\WAR2R.INI
[2008/07/12 21:01:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/07/10 14:28:49 | 000,157,184 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/25 12:17:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/05/06 11:33:37 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/06 11:15:41 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll
[2008/05/06 11:15:39 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/05/06 11:14:33 | 000,001,220 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 12:57:15 | 000,115,768 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 12:51:20 | 000,442,888 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 12:51:20 | 000,072,154 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 12:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== Alternate Data Streams ==========

@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

And Extras.txt:

OTL Extras logfile created on: 17/07/2011 2:15:18 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Spencer Whipple\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1012.88 Mb Total Physical Memory | 592.57 Mb Available Physical Memory | 58.50% Memory free
2.37 Gb Paging File | 2.07 Gb Available in Paging File | 87.17% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 20.00 Gb Total Space | 2.24 Gb Free Space | 11.22% Space Free | Partition Type: NTFS
Drive D: | 106.50 Gb Total Space | 28.77 Gb Free Space | 27.01% Space Free | Partition Type: NTFS

Computer Name: RAND | User Name: Spencer Whipple | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"49882:TCP" = 49882:TCP:*:Enabled:vuze port
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Disabled:Warcraft III
"D:\My Documents\Warcraft III\Warcraft III.exe" = D:\My Documents\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)
"C:\Program Files\Raptr\raptr.exe" = C:\Program Files\Raptr\raptr.exe:*:Enabled:Raptr Client
"C:\Program Files\Raptr\raptr_im.exe" = C:\Program Files\Raptr\raptr_im.exe:*:Enabled:Raptr IM
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze -- (Vuze Inc.)
"C:\Documents and Settings\Spencer Whipple\Local Settings\Temp\7zSF.tmp\SymNRT.exe" = C:\Documents and Settings\Spencer Whipple\Local Settings\Temp\7zSF.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- (Symantec Corporation)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"E:\bin\IA\Core\MDM_Util.exe" = E:\bin\IA\Core\MDM_Util.exe:*:Enabled:MDM_Util


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{177D1318-3E4B-4A7C-A300-AC4E21BE090B}" = Broadcom Management Programs
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 21
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java™ 6 Update 16
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{44D02D8B-FFB3-4245-8D26-68D10B4C4023}" = ZSMC USB PC Camera (ZS0211)
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}" = Paint.NET v3.31
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{626C034B-50B8-47BD-AF93-EEFD0FA78FF4}" = Character Builder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}" = iTunes
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.3.312
"{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = COWON Media Center - jetAudio Basic
"{DFF135C9-274E-443B-B2D1-FF0FD93EE790}" = calibre
"{E56D5DC8-4C73-44B1-B650-AAD75C7A2701}" = Broadcom ASF Management Applications
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"7-Zip" = 7-Zip 4.58 beta
"8461-7759-5462-8226" = Vuze
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG9Uninstall" = AVG Free 9.0
"CDisplay_is1" = CDisplay 1.8
"Foxit Reader" = Foxit Reader
"GNU Aspell_is1" = GNU Aspell 0.50-3
"Google Desktop" = Google Desktop
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SearchAssist" = SearchAssist
"VLC media player" = VLC media player 1.1.9
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-731061896-4257502280-1421588278-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/05/2011 12:51:58 AM | Computer Name = RAND | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x05259290.

Error - 22/05/2011 12:52:03 AM | Computer Name = RAND | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 22/05/2011 11:08:07 AM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 25/05/2011 8:13:32 AM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 27/05/2011 8:16:32 AM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 29/05/2011 10:57:46 AM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 30/05/2011 8:27:49 PM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 30/05/2011 8:35:47 PM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 30/05/2011 8:38:31 PM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 03/06/2011 9:03:16 AM | Computer Name = RAND | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

[ System Events ]
Error - 22/04/2011 11:16:34 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Microsoft
Office\Office12\EXCEL.EXE. Reference error message: The operation completed successfully.
.

Error - 22/04/2011 11:16:41 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls.mui.
Reference
error message: The system cannot find the path specified. .

Error - 22/04/2011 11:16:41 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Microsoft
Office\Office12\EXCEL.EXE. Reference error message: The operation completed successfully.
.

Error - 22/04/2011 11:16:42 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls.
Reference
error message: The system cannot find the path specified. .

Error - 22/04/2011 11:16:42 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Microsoft
Office\Office12\EXCEL.EXE. Reference error message: The operation completed successfully.
.

Error - 22/04/2011 11:16:43 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls.
Reference
error message: The system cannot find the path specified. .

Error - 22/04/2011 11:16:43 AM | Computer Name = RAND | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Microsoft
Office\Office12\EXCEL.EXE. Reference error message: The operation completed successfully.
.

Error - 06/05/2011 10:38:35 PM | Computer Name = RAND | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 12/05/2011 8:40:36 PM | Computer Name = RAND | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 19/05/2011 9:15:03 PM | Computer Name = RAND | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.


< End of report >

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:57 PM

Posted 17 July 2011 - 01:40 PM

Hi!

This may not be good. I need to see what an online file scanner site says about a file on your computer.

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Choose File button and search for the following file: C:\WINDOWS\Domino.exe
  • Click Open
  • Then click Send File
If it says already scanned -- click "reanalyze now"

  • Please be patient while the file is scanned.
  • Once the scan results appear, please click on the Compact button.
  • A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
  • Copy and Paste the contents of the text in the BBCode into your next reply for me to review.

Please post the results in your next reply

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 01:50 PM

Hi ST :)

I ran the scan as instructed, but when I clicked on the "Compact" button, the window which appears simply says "Not found". The rest of the window is white.

Edited by th3d00d, 17 July 2011 - 01:51 PM.


#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:57 PM

Posted 17 July 2011 - 01:53 PM

Okay. Can you copy and paste the contents of the scan results? I want to see if anything was detected by the scanners.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 01:58 PM

heh, sorry, should have done that in the previous reply. my bad. :)

File name: Domino.exe
Submission date: 2011-07-17 18:41:30 (UTC)
Current status: queued queued analysing finished


Result: 0/ 43 (0.0%)
VT Community

malware
Safety score: 0.0%
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.07.18.00 2011.07.17 -
AntiVir 7.11.11.173 2011.07.17 -
Antiy-AVL 2.0.3.7 2011.07.15 -
Avast 4.8.1351.0 2011.07.17 -
Avast5 5.0.677.0 2011.07.17 -
AVG 10.0.0.1190 2011.07.17 -
BitDefender 7.2 2011.07.17 -
CAT-QuickHeal 11.00 2011.07.17 -
ClamAV 0.97.0.0 2011.07.17 -
Commtouch 5.3.2.6 2011.07.17 -
Comodo 9419 2011.07.17 -
DrWeb 5.0.2.03300 2011.07.17 -
Emsisoft 5.1.0.8 2011.07.17 -
eSafe 7.0.17.0 2011.07.17 -
eTrust-Vet 36.1.8446 2011.07.15 -
F-Prot 4.6.2.117 2011.07.17 -
F-Secure 9.0.16440.0 2011.07.17 -
Fortinet 4.2.257.0 2011.07.17 -
GData 22 2011.07.17 -
Ikarus T3.1.1.104.0 2011.07.17 -
Jiangmin 13.0.900 2011.07.14 -
K7AntiVirus 9.108.4911 2011.07.15 -
Kaspersky 9.0.0.837 2011.07.17 -
McAfee 5.400.0.1158 2011.07.17 -
McAfee-GW-Edition 2010.1D 2011.07.17 -
Microsoft 1.7000 2011.07.17 -
NOD32 6302 2011.07.17 -
Norman 6.07.10 2011.07.17 -
nProtect 2011-07-17.01 2011.07.17 -
Panda 10.0.3.5 2011.07.17 -
PCTools 8.0.0.5 2011.07.13 -
Prevx 3.0 2011.07.17 -
Rising 23.66.04.03 2011.07.15 -
Sophos 4.67.0 2011.07.17 -
SUPERAntiSpyware 4.40.0.1006 2011.07.17 -
Symantec 20111.1.0.186 2011.07.17 -
TheHacker 6.7.0.1.257 2011.07.17 -
TrendMicro 9.200.0.1012 2011.07.17 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.17 -
VBA32 3.12.16.4 2011.07.15 -
VIPRE 9885 2011.07.17 -
ViRobot 2011.7.16.4573 2011.07.17 -
VirusBuster 14.0.127.0 2011.07.16 -
Additional informationShow all
MD5 : 5603c2c8940f5e43864d4000304ab175
SHA1 : f22234ed04ad1220b28cacaabc2ab0361ce6fe11
SHA256: aea3c84d561c605bb42968e98c6024909b6ad8cba64c45aed6343495fc78ab58
ssdeep: 384:2kG0uunnXM+C23lgQbBVYPP9ewsGTybD9TP4+Ylav6/ge+c7NkCDhOK6qhxaKE9t:24nXMZ
7CIYwsjp9C7Nn16q39khs7JK1
File size : 49152 bytes
First seen: 2007-11-19 22:58:10
Last seen : 2011-07-17 18:41:30
TrID:
Win64 Executable Generic (58.7%)
Win32 Executable MS Visual C++ (generic) (25.8%)
Win32 Executable Generic (5.8%)
Win32 Dynamic Link Library (generic) (5.2%)
Win32 Executable MS Visual FoxPro 7 (1.5%)
sigcheck:
publisher....:
copyright....: Copyright ©
product......: Domino
description..:
original name:
internal name:
file version.: 3, 6, 818, 7
comments.....: For Windows XP only
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: InstallShield 2000
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2590
timedatestamp....: 0x44E58125 (Fri Aug 18 08:58:13 2006)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x5475, 0x6000, 5.99, eb40aa04898b145b39ad6fed65d76aea
.rdata, 0x7000, 0xD0E, 0x1000, 4.86, ac8f8ad613fec801923e04b97959ead4
.data, 0x8000, 0x5A98, 0x3000, 0.65, d87ce043bef47f3a61d4950c786abbce
.rsrc, 0xE000, 0x360, 0x1000, 0.90, aafef067de0eebfa29c644d3bdefbed3

[[ 4 import(s) ]]
KERNEL32.dll: CloseHandle, GetLastError, CreateMutexA, UnmapViewOfFile, MapViewOfFile, Sleep, CreateFileMappingA, GetSystemTime, SetFilePointer, LoadLibraryA, GetProcAddress, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, FlushFileBuffers, SetStdHandle, IsBadCodePtr, IsBadWritePtr, IsBadReadPtr, SetUnhandledExceptionFilter, VirtualAlloc, WriteFile, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, WideCharToMultiByte, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, MultiByteToWideChar, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, GetCPInfo, GetACP, GetOEMCP
USER32.dll: DispatchMessageA, TranslateMessage, TranslateAcceleratorA, GetMessageA, LoadAcceleratorsA, RegisterDeviceNotificationA, UnregisterDeviceNotification, RegisterClassExA, CreateWindowExA, PostQuitMessage, DefWindowProcA
ole32.dll: CreateBindCtx, CoUninitialize, CoGetMalloc, CoCreateInstance, MkParseDisplayName, CoInitialize
OLEAUT32.dll: -, -

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 24576
Comments: For Windows XP only
CompanyName:
EntryPoint: 0x2590
FileDescription:
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 48 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 3, 6, 818, 7
FileVersionNumber: 3.6.818.7
ImageVersion: 0.0
InitializedDataSize: 32768
InternalName:
LanguageCode: English (U.S.)
LegalCopyright: Copyright ©
LegalTrademarks:
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
OriginalFilename:
PEType: PE32
PrivateBuild:
ProductName: Domino
ProductVersion: 3, 6, 818, 7
ProductVersionNumber: 3.6.818.7
SpecialBuild:
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2006:08:18 10:58:13+02:00
UninitializedDataSize: 0

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:57 PM

Posted 17 July 2011 - 02:00 PM

Hi!

No worries. It looks like that file is clean, so it doesn't appear to be the infection I was thinking it was going to be which is a good thing.

Looks like you have a rootkit infection.

Do you happen to recognize this file?

[2011/06/28 23:43:49 | 000,017,471 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Desktop\bafor.odt

------------------

Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {9bb815eb-3f9f-4e11-9150-cb70e29b40fc} - No CLSID value found.
    O3 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006\..\Toolbar\WebBrowser: (no name) - {9BB815EB-3F9F-4E11-9150-CB70E29B40FC} - No CLSID value found.
    O4 - HKU\S-1-5-21-731061896-4257502280-1421588278-1006..\Run: [Security Protection] C:\Documents and Settings\All Users\Application Data\defender.exe (G Data)
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O33 - MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\Shell - "" = AutoRun
    O33 - MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\Shell\AutoRun\command - "" = F:\DigitalPhotoKeychain.EXE
    [2011/07/07 20:40:31 | 000,889,344 | ---- | C] (G Data) -- C:\Documents and Settings\All Users\Application Data\defender.exe
    [2011/07/07 17:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4}
    [2011/07/07 17:11:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\bJ01603AdDlO01603
    [14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2025/10/21 03:55:00 | 000,003,120 | ---- | M] () -- C:\WINDOWS\BQSHYJ2R.ocx
    [2025/10/19 09:26:40 | 000,003,120 | ---- | M] () -- C:\WINDOWS\F9B5D4PH.ocx
    [2025/10/17 14:58:19 | 000,003,120 | ---- | M] () -- C:\WINDOWS\VO63QJ2E.ocx
    [2025/10/15 20:29:58 | 000,003,120 | ---- | M] () -- C:\WINDOWS\NWQNADHB.ocx
    [2025/10/14 02:01:37 | 000,003,120 | ---- | M] () -- C:\WINDOWS\O83PPKBG.ocx
    [2011/07/17 13:06:22 | 000,015,332 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\42j47r2uj6aay41syi34k231865m558y2f
    [2011/07/17 13:06:21 | 000,015,332 | -HS- | M] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\42j47r2uj6aay41syi34k231865m558y2f
    [2011/07/07 20:40:34 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malware Protection.lnk
    [2011/07/07 20:40:31 | 000,889,344 | ---- | M] (G Data) -- C:\Documents and Settings\All Users\Application Data\defender.exe
    [2011/07/07 17:55:17 | 000,006,942 | ---- | M] () -- C:\Documents and Settings\Spencer Whipple\Application Data\555E.12D
    [2011/07/07 17:19:57 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tdorusigegobey.dat
    [2011/07/07 17:19:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Idametomivokit.bin
    [14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2025/10/21 03:55:00 | 000,003,120 | ---- | C] () -- C:\WINDOWS\BQSHYJ2R.ocx
    [2025/10/19 09:26:40 | 000,003,120 | ---- | C] () -- C:\WINDOWS\F9B5D4PH.ocx
    [2025/10/17 14:58:19 | 000,003,120 | ---- | C] () -- C:\WINDOWS\VO63QJ2E.ocx
    [2025/10/15 20:29:58 | 000,003,120 | ---- | C] () -- C:\WINDOWS\NWQNADHB.ocx
    [2025/10/14 02:01:37 | 000,003,120 | ---- | C] () -- C:\WINDOWS\O83PPKBG.ocx
    [2011/07/08 17:42:00 | 000,015,332 | -HS- | C] () -- C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\42j47r2uj6aay41syi34k231865m558y2f
    [2011/07/08 17:42:00 | 000,015,332 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\42j47r2uj6aay41syi34k231865m558y2f
    [2011/07/07 20:40:33 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malware Protection.lnk
    [2011/07/07 17:19:57 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tdorusigegobey.dat
    [2011/07/07 17:19:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Idametomivokit.bin
    [2011/07/07 17:13:47 | 000,006,942 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\555E.12D
    [2009/12/13 22:21:34 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Spencer Whipple\Application Data\inst.exe
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    
    :Reg
    
    :Files
    C:\Documents and Settings\All Users\Application Data\bJ01603AdDlO01603
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 02:10 PM

Thanks ST. I will run the OTL fix in a moment.

Here is the TDSSKiller log:

2011/07/17 15:05:32.0984 1608 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/17 15:05:33.0375 1608 ================================================================================
2011/07/17 15:05:33.0375 1608 SystemInfo:
2011/07/17 15:05:33.0375 1608
2011/07/17 15:05:33.0375 1608 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/17 15:05:33.0375 1608 Product type: Workstation
2011/07/17 15:05:33.0375 1608 ComputerName: RAND
2011/07/17 15:05:33.0375 1608 UserName: Spencer Whipple
2011/07/17 15:05:33.0375 1608 Windows directory: C:\WINDOWS
2011/07/17 15:05:33.0375 1608 System windows directory: C:\WINDOWS
2011/07/17 15:05:33.0375 1608 Processor architecture: Intel x86
2011/07/17 15:05:33.0375 1608 Number of processors: 2
2011/07/17 15:05:33.0375 1608 Page size: 0x1000
2011/07/17 15:05:33.0375 1608 Boot type: Safe boot with network
2011/07/17 15:05:33.0375 1608 ================================================================================
2011/07/17 15:05:34.0640 1608 Initialize success
2011/07/17 15:05:37.0046 1664 ================================================================================
2011/07/17 15:05:37.0046 1664 Scan started
2011/07/17 15:05:37.0046 1664 Mode: Manual;
2011/07/17 15:05:37.0046 1664 ================================================================================
2011/07/17 15:05:37.0578 1664 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/07/17 15:05:37.0625 1664 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/17 15:05:37.0671 1664 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/17 15:05:37.0718 1664 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/07/17 15:05:37.0765 1664 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/07/17 15:05:37.0828 1664 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/17 15:05:37.0875 1664 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/17 15:05:37.0937 1664 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/17 15:05:37.0968 1664 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/07/17 15:05:38.0015 1664 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/07/17 15:05:38.0046 1664 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/07/17 15:05:38.0109 1664 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/07/17 15:05:38.0171 1664 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/07/17 15:05:38.0218 1664 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/07/17 15:05:38.0265 1664 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/07/17 15:05:38.0312 1664 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/07/17 15:05:38.0359 1664 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/07/17 15:05:38.0406 1664 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/07/17 15:05:38.0437 1664 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/07/17 15:05:38.0546 1664 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/17 15:05:38.0593 1664 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/17 15:05:38.0671 1664 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/17 15:05:38.0718 1664 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/17 15:05:38.0796 1664 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2011/07/17 15:05:38.0828 1664 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2011/07/17 15:05:38.0875 1664 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\System32\Drivers\avgtdix.sys
2011/07/17 15:05:38.0906 1664 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/07/17 15:05:38.0984 1664 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
2011/07/17 15:05:39.0015 1664 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/17 15:05:39.0093 1664 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/07/17 15:05:39.0140 1664 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/07/17 15:05:39.0156 1664 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/17 15:05:39.0203 1664 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/17 15:05:39.0234 1664 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/07/17 15:05:39.0250 1664 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/17 15:05:39.0281 1664 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/17 15:05:39.0343 1664 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/17 15:05:39.0437 1664 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/07/17 15:05:39.0515 1664 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/17 15:05:39.0546 1664 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/07/17 15:05:39.0578 1664 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/07/17 15:05:39.0625 1664 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/17 15:05:39.0687 1664 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/17 15:05:39.0734 1664 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/17 15:05:39.0781 1664 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/17 15:05:39.0812 1664 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/17 15:05:39.0875 1664 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/07/17 15:05:39.0906 1664 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/17 15:05:39.0937 1664 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/17 15:05:40.0015 1664 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/17 15:05:40.0062 1664 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/17 15:05:40.0093 1664 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/17 15:05:40.0125 1664 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/17 15:05:40.0156 1664 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/17 15:05:40.0203 1664 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/17 15:05:40.0218 1664 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/17 15:05:40.0265 1664 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/17 15:05:40.0296 1664 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/17 15:05:40.0343 1664 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/17 15:05:40.0375 1664 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/17 15:05:40.0421 1664 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/07/17 15:05:40.0468 1664 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/17 15:05:40.0500 1664 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/17 15:05:40.0546 1664 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/07/17 15:05:40.0578 1664 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/17 15:05:40.0734 1664 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/07/17 15:05:40.0875 1664 iaStor (bdc361489a7f22e568060fa6fb3c960e) C:\WINDOWS\system32\drivers\iaStor.sys
2011/07/17 15:05:40.0921 1664 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/17 15:05:40.0984 1664 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/07/17 15:05:41.0015 1664 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/17 15:05:41.0062 1664 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/17 15:05:41.0109 1664 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/17 15:05:41.0125 1664 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/17 15:05:41.0156 1664 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/17 15:05:41.0203 1664 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/17 15:05:41.0234 1664 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/17 15:05:41.0265 1664 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/17 15:05:41.0296 1664 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/17 15:05:41.0359 1664 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/17 15:05:41.0375 1664 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/17 15:05:41.0406 1664 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/17 15:05:41.0453 1664 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/17 15:05:41.0562 1664 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/17 15:05:41.0609 1664 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/17 15:05:41.0625 1664 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/17 15:05:41.0687 1664 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/17 15:05:41.0703 1664 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/17 15:05:41.0781 1664 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/07/17 15:05:41.0812 1664 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/17 15:05:41.0875 1664 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/17 15:05:41.0906 1664 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/17 15:05:41.0968 1664 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/17 15:05:42.0000 1664 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/17 15:05:42.0031 1664 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/17 15:05:42.0062 1664 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/17 15:05:42.0109 1664 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/17 15:05:42.0140 1664 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/17 15:05:42.0171 1664 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/17 15:05:42.0203 1664 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/17 15:05:42.0250 1664 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/17 15:05:42.0281 1664 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/17 15:05:42.0296 1664 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/17 15:05:42.0343 1664 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/17 15:05:42.0375 1664 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/17 15:05:42.0390 1664 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/17 15:05:42.0437 1664 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/17 15:05:42.0531 1664 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/17 15:05:42.0562 1664 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/17 15:05:42.0609 1664 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/17 15:05:42.0687 1664 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/17 15:05:42.0765 1664 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/17 15:05:42.0796 1664 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/17 15:05:42.0812 1664 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/17 15:05:42.0843 1664 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/17 15:05:42.0875 1664 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/17 15:05:42.0906 1664 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/17 15:05:42.0984 1664 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/17 15:05:43.0015 1664 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/17 15:05:43.0046 1664 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2011/07/17 15:05:43.0218 1664 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/07/17 15:05:43.0234 1664 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/07/17 15:05:43.0328 1664 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/17 15:05:43.0375 1664 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/17 15:05:43.0390 1664 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/17 15:05:43.0437 1664 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/07/17 15:05:43.0468 1664 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/07/17 15:05:43.0484 1664 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/07/17 15:05:43.0515 1664 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/07/17 15:05:43.0546 1664 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/07/17 15:05:43.0578 1664 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/17 15:05:43.0625 1664 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/17 15:05:43.0671 1664 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/17 15:05:43.0687 1664 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/17 15:05:43.0718 1664 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/17 15:05:43.0750 1664 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/17 15:05:43.0796 1664 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/17 15:05:43.0843 1664 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/17 15:05:43.0890 1664 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/17 15:05:44.0015 1664 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/17 15:05:44.0078 1664 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/07/17 15:05:44.0109 1664 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/17 15:05:44.0140 1664 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/17 15:05:44.0203 1664 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/17 15:05:44.0296 1664 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/07/17 15:05:44.0343 1664 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/17 15:05:44.0375 1664 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/07/17 15:05:44.0406 1664 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/07/17 15:05:44.0453 1664 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/17 15:05:44.0500 1664 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/17 15:05:44.0546 1664 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/17 15:05:44.0609 1664 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/17 15:05:44.0640 1664 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/17 15:05:44.0671 1664 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/17 15:05:44.0734 1664 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/17 15:05:44.0765 1664 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/17 15:05:44.0781 1664 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/17 15:05:44.0812 1664 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/07/17 15:05:44.0875 1664 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/17 15:05:44.0921 1664 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/17 15:05:44.0953 1664 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/17 15:05:45.0000 1664 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/17 15:05:45.0031 1664 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/17 15:05:45.0093 1664 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/07/17 15:05:45.0140 1664 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/17 15:05:45.0171 1664 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/07/17 15:05:45.0218 1664 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/17 15:05:45.0312 1664 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/17 15:05:45.0343 1664 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/17 15:05:45.0359 1664 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/17 15:05:45.0406 1664 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/17 15:05:45.0437 1664 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/17 15:05:45.0453 1664 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/17 15:05:45.0484 1664 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/17 15:05:45.0531 1664 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/17 15:05:45.0562 1664 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/17 15:05:45.0593 1664 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/17 15:05:45.0656 1664 vvftav211 (af0850cfd99e9e5e142537cd601bcb72) C:\WINDOWS\system32\drivers\vvftav211.sys
2011/07/17 15:05:45.0718 1664 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/17 15:05:45.0781 1664 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/17 15:05:45.0937 1664 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/17 15:05:45.0984 1664 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/17 15:05:46.0078 1664 ZSMC30x (17ee5fa37c15edae826a7cfae227bc0b) C:\WINDOWS\system32\Drivers\ZS211.sys
2011/07/17 15:05:46.0156 1664 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/07/17 15:05:46.0171 1664 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/07/17 15:05:46.0187 1664 Boot (0x1200) (74f974d6685c270b5f53f5a064a06e0f) \Device\Harddisk0\DR0\Partition0
2011/07/17 15:05:46.0234 1664 Boot (0x1200) (78282e5b01b4f104b7cfc9ea05fb8067) \Device\Harddisk0\DR0\Partition1
2011/07/17 15:05:46.0250 1664 ================================================================================
2011/07/17 15:05:46.0250 1664 Scan finished
2011/07/17 15:05:46.0250 1664 ================================================================================
2011/07/17 15:05:46.0281 0592 Detected object count: 1
2011/07/17 15:05:46.0281 0592 Actual detected object count: 1
2011/07/17 15:06:05.0453 0592 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/07/17 15:06:05.0453 0592 \Device\Harddisk0\DR0 - ok
2011/07/17 15:06:05.0453 0592 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/17 15:06:11.0828 1080 Deinitialize success

#12 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 02:17 PM

EDIT: Sorry, a bit distracted here. bafor.odt is... er... a dnd character on an open office text file... yes, i'm a geek who doesn't know computers...

And here are the results from the OTL fix:

All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bb815eb-3f9f-4e11-9150-cb70e29b40fc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9bb815eb-3f9f-4e11-9150-cb70e29b40fc}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9bb815eb-3f9f-4e11-9150-cb70e29b40fc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9bb815eb-3f9f-4e11-9150-cb70e29b40fc}\ not found.
Registry value HKEY_USERS\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9BB815EB-3F9F-4E11-9150-CB70E29B40FC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB815EB-3F9F-4E11-9150-CB70E29B40FC}\ not found.
Registry value HKEY_USERS\S-1-5-21-731061896-4257502280-1421588278-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Security Protection deleted successfully.
C:\Documents and Settings\All Users\Application Data\defender.exe moved successfully.
Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dbca412d-97b1-11df-aaf9-001ec93c74d4}\ not found.
File F:\DigitalPhotoKeychain.EXE not found.
File C:\Documents and Settings\All Users\Application Data\defender.exe not found.
C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4}\chrome\content folder moved successfully.
C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4}\chrome folder moved successfully.
C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\{1AB7493D-C47E-4D65-9E3E-281963B85FA4} folder moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\bJ01603AdDlO01603\ not found.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET2E.tmp deleted successfully.
C:\WINDOWS\System32\SET30.tmp deleted successfully.
C:\WINDOWS\System32\SET34.tmp deleted successfully.
C:\WINDOWS\System32\SET35.tmp deleted successfully.
C:\WINDOWS\System32\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\SET5F.tmp deleted successfully.
C:\WINDOWS\System32\SET67.tmp deleted successfully.
C:\WINDOWS\System32\SET6A.tmp deleted successfully.
C:\WINDOWS\System32\SET76.tmp deleted successfully.
C:\WINDOWS\System32\SET77.tmp deleted successfully.
C:\WINDOWS\System32\SET87.tmp deleted successfully.
C:\WINDOWS\System32\SET89.tmp deleted successfully.
C:\WINDOWS\System32\SET98.tmp deleted successfully.
C:\WINDOWS\002891_.tmp deleted successfully.
C:\WINDOWS\BQSHYJ2R.ocx moved successfully.
C:\WINDOWS\F9B5D4PH.ocx moved successfully.
C:\WINDOWS\VO63QJ2E.ocx moved successfully.
C:\WINDOWS\NWQNADHB.ocx moved successfully.
C:\WINDOWS\O83PPKBG.ocx moved successfully.
C:\Documents and Settings\All Users\Application Data\42j47r2uj6aay41syi34k231865m558y2f moved successfully.
C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\42j47r2uj6aay41syi34k231865m558y2f moved successfully.
C:\Documents and Settings\All Users\Desktop\Malware Protection.lnk moved successfully.
File C:\Documents and Settings\All Users\Application Data\defender.exe not found.
C:\Documents and Settings\Spencer Whipple\Application Data\555E.12D moved successfully.
C:\WINDOWS\Tdorusigegobey.dat moved successfully.
C:\WINDOWS\Idametomivokit.bin moved successfully.
File C:\WINDOWS\BQSHYJ2R.ocx not found.
File C:\WINDOWS\F9B5D4PH.ocx not found.
File C:\WINDOWS\VO63QJ2E.ocx not found.
File C:\WINDOWS\NWQNADHB.ocx not found.
File C:\WINDOWS\O83PPKBG.ocx not found.
File C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\42j47r2uj6aay41syi34k231865m558y2f not found.
File C:\Documents and Settings\All Users\Application Data\42j47r2uj6aay41syi34k231865m558y2f not found.
File C:\Documents and Settings\All Users\Desktop\Malware Protection.lnk not found.
File C:\WINDOWS\Tdorusigegobey.dat not found.
File C:\WINDOWS\Idametomivokit.bin not found.
File C:\Documents and Settings\Spencer Whipple\Application Data\555E.12D not found.
C:\Documents and Settings\Spencer Whipple\Application Data\inst.exe moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\bJ01603AdDlO01603 folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Spencer Whipple\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Spencer Whipple\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 4032744 bytes
->Temporary Internet Files folder emptied: 6381201 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 49152 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 24326952 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 129232077 bytes

User: Spencer Whipple
->Temp folder emptied: 287966991 bytes
->Temporary Internet Files folder emptied: 205062558 bytes
->Java cache emptied: 327757239 bytes
->Apple Safari cache emptied: 55296 bytes
->Flash cache emptied: 171000 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 269340886 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 103698824 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,295.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Spencer Whipple
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.26.1 log created on 07172011_151128

Edited by th3d00d, 17 July 2011 - 02:22 PM.


#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:57 PM

Posted 17 July 2011 - 05:08 PM

Hi!

Okay, thanks for the clarification on that file.

Looks like TDSSKiller found the rootkit infection.

Please be sure to provide me with an update on what issues you are still experiencing in your next reply.

Please yield this warning:

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 05:56 PM

Hi ST :)

I can now run programs in Normal Mode again. However MBAM is having trouble updating. I receive the following window:

An error has occurred. Please report this error code to our support team

PROGRAM_ERROR_UPDATING (5, 0, CreateFile)

Access is denied.

EDIT: In addition, my programs are still being hidden. Quicklaunch icons do not show nor do a lot of programs in the start menu. Google does not seem to redirect anymore.

Edited by th3d00d, 17 July 2011 - 06:57 PM.


#15 th3d00d

th3d00d
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 17 July 2011 - 08:02 PM

MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 7178

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/07/2011 6:50:06 PM
mbam-log-2011-07-17 (18-50-06).txt

Scan type: Quick scan
Objects scanned: 166366
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Spencer Whipple\Local Settings\Application Data\ldk.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log

C:\_OTL\MovedFiles\07172011_151128\C_Documents and Settings\All Users\Application Data\defender.exe a variant of Win32/Kryptik.QIA trojan
D:\My Documents\CIVILIZATION 4 v1.52 on Brett (Brett)\PowerISO[1].2.61_CRK-FFF.rar a variant of Win32/Packed.CrackPack.A application

Security Checkup Log


Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

AVG Free 9.0
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 21
Java™ 6 Update 16
Java™ 6 Update 4
Java™ 6 Update 5
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 9.0.124.0
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users