Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit


  • This topic is locked This topic is locked
44 replies to this topic

#1 blooping

blooping

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 February 2012 - 07:55 AM

This machine has a very persistent ZeroAccess rootkit problem. When browsing, it will intermittently redirect to random ad infested sites regardless of browser. Also some time after startup, CPU ultilization shoots up to 100% but the process is hidden. No visible attempt appears to be made to proxy the connection. Occasionally the display driver will crash.

The following all detect zeroaccess and can detect and remove portions of it but it keeps reinfecting:

ESETSirefefRemover
antizeroaccess.exe
combofix

Also tried idependantly:

Trend Micro Housecall
AdAware Free
Malwarebytes

But obviously not tools suitable for rootkit hunting and don't pick anything else up.
GMER reports a hidden unnamed module and ping.exe as the process that's eating CPU.

At this point I admit I'm out of my depth and out of ideas on how to proceed. AdAware and other resident scanners have been uninstalled, Defogger has been enabled, firewall is still on.
DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Scribe at 8:34:18 on 2012-02-07
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.2038.563 [GMT 0:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe
C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe
C:\Program Files\WatchGuard\Mobile VPN\ncpsec.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rtIif1d.com
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Windows\system32\RTIIF1~1.COM
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload
mRun: [NcpBudgetGui] "c:\program files\watchguard\mobile vpn\NcpBudgetGui.exe" -start
mRun: [NcpPopup] "c:\program files\watchguard\mobile vpn\ncppopup.exe" noerrmsg
mRun: [NcpMonitor] "c:\program files\watchguard\mobile vpn\NCPMON.exe" AUTORUN
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [vnet] c:\program files\dropped.exe
StartupFolder: c:\users\scribe\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{DC8D295A-69A5-42EC-B136-4E3075E2BC05} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{DC8D295A-69A5-42EC-B136-4E3075E2BC05}\35D434 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{DC8D295A-69A5-42EC-B136-4E3075E2BC05}\4514C4B44514C4B4D2039324345334 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DC8D295A-69A5-42EC-B136-4E3075E2BC05}\55E60727F647563647564602345685 : DhcpNameServer = 212.23.3.100 212.23.6.100
TCP: Interfaces\{DC8D295A-69A5-42EC-B136-4E3075E2BC05}\6627565676F66777966696 : DhcpNameServer = 10.11.0.201 10.12.0.201
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\scribe\appdata\roaming\mozilla\firefox\profiles\86qqyyz1.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\scribe\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\scribe\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\scribe\appdata\roaming\mozilla\firefox\profiles\86qqyyz1.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 ncpclcfg;ncpclcfg;c:\program files\watchguard\mobile vpn\ncpclcfg.exe [2011-10-1 86016]
R2 ncprwsnt;ncprwsnt;c:\program files\watchguard\mobile vpn\ncprwsnt.exe [2011-10-1 1092104]
R2 NcpSec;NcpSec;c:\program files\watchguard\mobile vpn\NCPSEC.EXE [2011-10-1 97280]
R2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2008-3-4 35616]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-1-24 62320]
R3 ncplelhp;WatchGuard Secure Client NDIS6 Driver;c:\windows\system32\drivers\ncplelhp.sys [2011-10-1 77128]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2008-3-4 22568]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2009-6-17 36136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-1-24 45424]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 libusb0;LibUsb-Win32 - Kernel Driver;c:\windows\system32\drivers\libusb0.sys [2010-5-26 28160]
S3 ncpfilt;WatchGuard Filter;c:\windows\system32\drivers\ncplelhp.sys [2011-10-1 77128]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-3-19 8320]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-10-2 15872]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-2 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-21 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-02-07 07:32:15 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-07 07:24:46 -------- d-----w- c:\users\scribe\appdata\local\temp
2012-02-07 07:07:06 46080 ----a-w- c:\windows\system32\drivers\ndisuio.sys
2012-02-07 07:02:51 338944 ----a-w- c:\windows\system32\drivers\afd.sys.vir
2012-02-07 06:46:07 -------- d-----w- c:\windows\system32\appmgmt
2012-02-07 06:29:36 -------- d-----w- c:\program files\Mythicsoft
2012-02-07 05:54:42 187904 ----a-w- c:\windows\system32\drivers\netbt.sys.vir
2012-02-07 05:51:41 -------- d-----w- c:\users\scribe\appdata\roaming\Malwarebytes
2012-02-07 05:51:16 -------- d-----w- c:\programdata\Malwarebytes
2012-02-06 08:13:39 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-06 07:56:29 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-06 07:18:21 53760 ----a-w- c:\windows\system32\drivers\intelppm.sys
2012-02-06 05:11:05 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-06 04:23:28 98816 ----a-w- c:\windows\sed.exe
2012-02-06 04:23:28 518144 ----a-w- c:\windows\SWREG.exe
2012-02-06 04:23:28 256000 ----a-w- c:\windows\PEV.exe
2012-02-06 04:23:28 208896 ----a-w- c:\windows\MBR.exe
2012-02-06 04:12:55 388096 ----a-r- c:\users\scribe\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-06 04:12:55 -------- d-----w- c:\program files\Trend Micro
2012-02-06 01:24:42 111616 ----a-w- c:\windows\system32\rtIif1d.com
2012-02-06 01:10:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-05 23:17:20 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-05 13:09:07 -------- d-----w- c:\users\scribe\appdata\roaming\Qediut
2012-02-05 13:08:58 111616 ----a-w- c:\windows\system32\rtIif1d.com_
2012-02-04 10:27:18 192512 ----a-w- c:\program files\dropped.exe
2012-02-04 10:07:59 -------- d-----w- c:\users\scribe\appdata\roaming\mIRC
2012-02-04 02:44:29 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90ebf296-aecd-46bb-834d-5e6d3b2ae18e}\mpengine.dll
2012-02-03 03:54:58 -------- d-----w- c:\users\scribe\appdata\local\Forget-Me-Not
2012-02-02 04:26:50 -------- d-----w- c:\users\scribe\appdata\local\smuxi
2012-02-02 04:24:40 -------- d-----w- c:\users\scribe\appdata\roaming\smuxi
2012-02-02 04:22:50 -------- d-----w- c:\program files\Smuxi
2012-02-02 04:21:29 -------- d-----w- c:\program files\GtkSharp
2012-02-01 18:03:27 -------- d-----w- c:\program files\Spaz
2012-02-01 18:02:17 -------- d-----w- c:\users\scribe\appdata\roaming\Spaz.AIR.16CB261D461B1CA2027F7C39946115FA2DC8CD7F.1
2012-01-26 12:12:01 -------- d-----w- c:\users\scribe\vimfiles
2012-01-24 12:58:42 -------- d-----w- c:\users\scribe\appdata\roaming\HackSlashLoot
2012-01-22 07:31:56 -------- d-----w- c:\program files\Twine
2012-01-21 15:40:08 987 ----a-w- c:\windows\gvimdiff.bat
2012-01-21 15:40:08 987 ----a-w- c:\windows\gview.bat
2012-01-21 15:40:08 987 ----a-w- c:\windows\evim.bat
2012-01-21 15:40:08 979 ----a-w- c:\windows\gvim.bat
2012-01-21 15:40:08 688 ----a-w- c:\windows\vimtutor.bat
2012-01-21 15:40:08 662 ----a-w- c:\windows\vimdiff.bat
2012-01-21 15:40:08 662 ----a-w- c:\windows\view.bat
2012-01-21 15:40:08 658 ----a-w- c:\windows\vim.bat
2012-01-21 15:39:58 -------- d-----w- c:\program files\Vim
2012-01-20 11:58:44 -------- d-----w- c:\program files\rebol
2012-01-20 11:58:09 -------- d-----w- c:\users\scribe\appdata\roaming\rebol
2012-01-19 07:17:34 -------- d-----w- c:\program files\OzoneSoft
2012-01-19 01:29:34 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-19 01:29:34 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-19 01:29:34 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-19 01:29:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-19 01:29:34 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-19 01:29:34 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-19 01:29:33 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-19 01:29:33 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-19 01:29:33 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-19 01:29:33 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-18 17:58:00 -------- d-----w- c:\program files\Edxor
2012-01-18 01:50:13 -------- d-----w- c:\users\scribe\pentadactyl
2012-01-17 01:46:02 -------- d-----w- c:\windows\system32\Adobe
2012-01-16 09:05:36 -------- d-----w- c:\users\scribe\vimperator
2012-01-15 07:02:05 -------- d-----w- c:\users\scribe\twit
2012-01-15 02:13:47 -------- d-----w- c:\users\scribe\appdata\roaming\naan studio, Inc
2012-01-15 02:13:47 -------- d-----w- c:\users\scribe\appdata\local\naan studio, Inc
2012-01-15 02:13:36 -------- d-----w- c:\users\scribe\appdata\local\Echofon
2012-01-15 01:52:19 -------- d-----w- c:\users\scribe\appdata\roaming\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2012-01-14 19:32:28 -------- d-----w- c:\users\scribe\appdata\roaming\MetroTwit
2012-01-14 19:02:58 -------- d-----w- c:\users\scribe\appdata\local\twitter
2012-01-14 18:59:28 576536 ----a-r- c:\users\scribe\appdata\roaming\microsoft\installer\{c5ac39f1-001d-4338-84c6-35109525588a}\TweetDeck.exe
2012-01-14 18:59:26 -------- d-----w- c:\program files\Twitter
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-01-14 09:18:39 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-01-14 09:15:47 -------- d-----w- c:\users\scribe\appdata\local\Apple
2012-01-14 08:17:21 -------- d-----w- c:\users\scribe\appdata\roaming\com.destroytoday.destroytwitter
2012-01-14 08:17:13 -------- d-----w- c:\program files\DestroyTwitter 2
2012-01-13 03:53:03 -------- d-----w- c:\users\scribe\appdata\roaming\conkeror.mozdev.org
2012-01-13 03:53:03 -------- d-----w- c:\users\scribe\appdata\local\conkeror.mozdev.org
2012-01-13 03:50:43 -------- d-----w- c:\program files\Conkeror
2012-01-13 03:38:18 -------- d-----w- c:\program files\xulrunner 10.0.0.4386
2012-01-12 03:34:03 -------- d-----w- c:\users\scribe\appdata\roaming\LyX2.0
2012-01-12 03:02:33 -------- d-----w- c:\program files\MSXML 4.0
2012-01-12 00:38:47 -------- d-----w- c:\program files\LyX20
2012-01-11 09:49:55 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 09:49:54 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 09:49:51 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 09:49:51 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 07:26:08 -------- d-----w- c:\users\scribe\appdata\roaming\TeXmacs
2012-01-11 07:23:32 -------- d-----w- c:\program files\TeXmacs
2012-01-11 05:27:40 -------- d-----w- c:\users\scribe\appdata\roaming\xm1
2012-01-11 05:23:34 -------- d-----w- c:\program files\Texmaker
2012-01-11 01:34:47 -------- d-----w- c:\users\scribe\appdata\roaming\MiKTeX
2012-01-11 01:27:10 -------- d-----w- c:\users\scribe\appdata\local\MiKTeX
2012-01-11 01:20:11 -------- d-----w- c:\programdata\MiKTeX
2012-01-11 01:13:38 -------- d-----w- c:\program files\MiKTeX 2.9
2012-01-10 16:00:09 82432 ----a-w- c:\windows\system32\msxml4r.dll
2012-01-10 16:00:09 44544 ----a-w- c:\windows\system32\msxml4a.dll
2012-01-10 15:59:59 -------- d-----w- c:\program files\TeXnicCenter
.
==================== Find3M ====================
.
2012-02-07 07:02:51 338944 ----a-w- c:\windows\system32\drivers\afd.sys.org
2012-02-07 05:54:42 187904 ----a-w- c:\windows\system32\drivers\netbt.sys.org
2012-02-04 10:16:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-27 00:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-14 00:00:08 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-14 00:00:08 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 8:36:08.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 07 February 2012 - 10:20 AM

Hi there,

Seeing as you have run ComboFix (which is strongly discouraged) I would like to see the log. It should be located at C:\ComboFix.txt in addition, please run the following tool:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 13 February 2012 - 06:15 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 14 February 2012 - 06:29 AM

This topic has been re-opened at the request of the person who originally posted.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 06:44 AM

TDSSKiller had already been run without success (not detecting problems). ComboFix had multiple runs but I think this is the most recent log. I believe the suspicious file referenced task scheduler entry has already been renamed/quarantined, possibly by an earlier run of ComboFix.

Attached Files



#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 14 February 2012 - 07:00 AM

Hi,

Your TDSSKiller version is a little outdated - it's always best to download the latest version before running our tools as they are constantly updated.

ComboFix definitely removed some of the ZeroAccess infection in that run. Let's try it again to see what it can do.

So please download new version of both TDSSKiller and ComboFix and then run them in that order.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 07:43 AM

New version of TDSSKiller hasn't picked up anything.
Combofix appears to have removed part of the ZeroAccess infection but upon rebooting wireless no longer works and the ComboFix window is rapidly opening and closing. Going to leave it running for a while but this didn't previously happen...

#8 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 08:00 AM

Combofix is clearly in a loop. Going to restart.

#9 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 08:12 AM

Combofix attempts to launch on restart but something is still repeatedly closing it (or there's a bug). Booting into safemode, gmer still reports signs of a rootkit.

#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 14 February 2012 - 08:26 AM

Could you post me the GMER log please?

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 10:39 AM

As an aside, ping.exe does not seem to be runing in safe mode at the moment. Also no wireless access, presumably because of whatever this particular run of combofix did.

Attached Files

  • Attached File  gmer.log   4.91KB   11 downloads


#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 14 February 2012 - 11:22 AM

Hi,

Yep, there are definite traces of the ZeroAccess rootkit still on board.

We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Copy and Paste the following code into the Posted Image textbox.
    %systemroot%\*. /rp /s
    /mdstart
    tdx.sys
    /md5stop
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 01:31 PM

Was a bit presumptious and assume you made a typo. Changed "/mdstart" to "/md5start". Log follows:


OTL logfile created on: 14/02/2012 17:27:07 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Scribe\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 62.83% Memory free
3.98 Gb Paging File | 3.27 Gb Available in Paging File | 82.26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 91.60 Gb Free Space | 39.33% Space Free | Partition Type: NTFS
Drive D: | 62.13 Gb Total Space | 11.72 Gb Free Space | 18.86% Space Free | Partition Type: FAT32

Computer Name: SCRIBE-PC | User Name: Scribe | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/14 17:13:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Scribe\Desktop\OTL.exe
PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/14 01:14:46 | 000,115,200 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE


========== Modules (No Company Name) ==========

MOD - [2010/03/21 18:19:50 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2007/09/20 18:34:58 | 000,129,024 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/12 05:09:12 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/05/21 02:00:47 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/02/25 08:20:52 | 001,092,104 | ---- | M] (NCP Engineering GmbH) [Auto | Stopped] -- C:\Program Files\WatchGuard\Mobile VPN\ncprwsnt.exe -- (ncprwsnt)
SRV - [2010/02/05 10:02:10 | 000,097,280 | ---- | M] () [Auto | Stopped] -- C:\Program Files\WatchGuard\Mobile VPN\NCPSEC.EXE -- (NcpSec)
SRV - [2009/07/15 10:18:00 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 01:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 01:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\SetupNT.dll -- (HssTrayService)
SRV - [2009/07/03 18:47:08 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2008/07/15 17:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)
SRV - [2008/06/30 11:22:40 | 000,086,016 | ---- | M] (NCP engineering GmbH) [Auto | Stopped] -- C:\Program Files\WatchGuard\Mobile VPN\ncpclcfg.exe -- (ncpclcfg)
SRV - [2008/03/04 07:28:48 | 000,035,616 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\TrackPoint\tp4servinst.exe -- (tp4serv)


========== Driver Services (SafeList) ==========

DRV - [2010/11/20 12:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 12:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 12:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 10:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 10:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 09:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 09:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 09:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/04/07 14:28:12 | 000,104,768 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010/02/23 09:22:52 | 000,077,128 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ncplelhp.sys -- (ncplelhp)
DRV - [2010/02/23 09:22:52 | 000,077,128 | ---- | M] (NCP Engineering GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ncplelhp.sys -- (ncpfilt)
DRV - [2009/10/21 12:04:22 | 000,028,160 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\libusb0.sys -- (libusb0)
DRV - [2009/09/01 20:20:34 | 000,219,144 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6232.sys -- (e1express) Intel®
DRV - [2009/07/13 23:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2009/07/13 22:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009/06/17 22:07:06 | 000,036,136 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wisdpen.sys -- (wisdpen)
DRV - [2009/03/19 12:48:18 | 000,136,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nmwcdnsu.sys -- (nmwcdnsu)
DRV - [2009/03/19 12:48:12 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc)
DRV - [2007/12/11 14:47:44 | 000,101,504 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/04/13 17:42:16 | 000,068,096 | ---- | M] (EZB Systems, Inc.) [File_System | System | Stopped] -- C:\Program Files\UltraISO\drivers\ISODrive.sys -- (ISODrive)
DRV - [2006/11/27 17:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2260156883-991823328-3405992824-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-2260156883-991823328-3405992824-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-2260156883-991823328-3405992824-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 50 A2 B8 F5 9C CA 01 [binary data]
IE - HKU\S-1-5-21-2260156883-991823328-3405992824-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Scribe\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Scribe\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Scribe\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/02 17:04:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/12/22 07:50:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Scribe\AppData\Roaming\Mozilla\Extensions
[2012/02/08 00:23:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Scribe\AppData\Roaming\Mozilla\Firefox\Profiles\86qqyyz1.default\extensions
[2012/01/19 20:08:57 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Users\Scribe\AppData\Roaming\Mozilla\Firefox\Profiles\86qqyyz1.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2012/01/16 09:00:10 | 000,000,000 | ---D | M] (Diigo Toolbar) -- C:\Users\Scribe\AppData\Roaming\Mozilla\Firefox\Profiles\86qqyyz1.default\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}
[2012/01/20 19:07:09 | 000,000,000 | ---D | M] (Reload Plus) -- C:\Users\Scribe\AppData\Roaming\Mozilla\Firefox\Profiles\86qqyyz1.default\extensions\reloadplus@blackwind
[2011/12/22 07:49:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\USERS\SCRIBE\APPDATA\ROAMING\CONKEROR.MOZDEV.ORG\CONKEROR\PROFILES\18O7CK0U.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/02/02 17:04:18 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/12/21 05:14:26 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/12/21 05:02:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/21 05:14:26 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/12/21 05:14:26 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/21 05:14:26 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Scribe\AppData\Local\Google\Chrome\Application\16.0.912.77\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Users\Scribe\AppData\Local\Google\Chrome\Application\16.0.912.77\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Scribe\AppData\Local\Google\Chrome\Application\16.0.912.77\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.170.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java™ Platform SE 6 U17 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Scribe\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Search by Image for Google\u2122 = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\agdigejhabbnmfbbebmchkkjhcdjmeli\1.2_0\
CHR - Extension: Angry Birds = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2.1_0\
CHR - Extension: reddit companion = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\algjnflpgoopkdijmkalfcifomdhmcbe\1.1.1_0\
CHR - Extension: reddit companion = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\algjnflpgoopkdijmkalfcifomdhmcbe\1.1.1_0\.orig
CHR - Extension: CacheList = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\amhhdbdhoghppijbjfdkiaconkmfbbpa\2.3.5_0\
CHR - Extension: Keyboard-fu = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\cafiohcgicchdfciefpbjjgigbmajndb\0.5.6_0\
CHR - Extension: Adblock Plus (Beta) = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.2_0\
CHR - Extension: Panda Poet = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\daicmhhkdcccfobnkidlhnieapcikadf\6_0\
CHR - Extension: Vimium = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbepggeogbaibhgnhhndojpepiihcmeb\1.30_0\
CHR - Extension: Read Later Fast = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\decdfngdidijkdjgbknlnepdljfaepji\1.3.6_0\
CHR - Extension: Read Later Fast = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\decdfngdidijkdjgbknlnepdljfaepji\1.3.7_0\
CHR - Extension: Realm of the Mad God = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjfmaldpppkmjjgkmadddbanpabfflp\1.0.0.3_0\
CHR - Extension: Realm of the Mad God = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjfmaldpppkmjjgkmadddbanpabfflp\1.0.0.3_0\~
CHR - Extension: Smart zoom = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\emfkpabfhchapdbfcmphhcagnkdloanp\0.1.7_0\
CHR - Extension: Silver Bird = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\encaiiljifbdbjlphpgpiimidegddhic\1.9.8.4_0\
CHR - Extension: Recent History = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbmkfdfomhhlonpbnpiibloacemdhjjm\2.1.4_0\
CHR - Extension: NewsBlur = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\gchdledhagjbhhodjjhiclbnaioljomj\1.1_0\
CHR - Extension: AdBlock = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.4.28_0\
CHR - Extension: d3coder = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\gncnbkghencmkfgeepfaonmegemakcol\0.5.0_0\
CHR - Extension: Next Bus London = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\golhdmegajbopkkhfbjbilfecnjaobod\1.0.1_0\
CHR - Extension: IE Tab = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd\2.11.30.1_0\
CHR - Extension: Zen Spring = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\iccigcodfkejfabfbepnfoddhnlmimgo\1.0\
CHR - Extension: Tab Split = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\imjbfeponcaggdpmoiadjbafihlojbco\1.0.0.0_0\
CHR - Extension: Google +1 Button = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgoepmocgafhnchmokaimcmlojpnlkhp\1.1.2.202_0\
CHR - Extension: TFL Realtime Map = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmdnbkifbcnagnmonadldajkkldjldic\1.0_0\
CHR - Extension: Cargo Bridge = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\keembkgclppcbilkekfgpobhldjjhpmn\1.5.7_0\
CHR - Extension: CrossFire for Google Chrome\u2122 = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\koagbjdgdmedlijoflccgpiaelepedam\0.2.3_0\
CHR - Extension: Smooth Gestures = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfkgmnnajiljnolcgolmmgnecgldgeld\0.15.4.12_0\
CHR - Extension: Stop Autoplay for YouTube. = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgdfnbpkmkkdhgidgcpdkgpdlfjcgnnh\0.11.5.24_0\
CHR - Extension: Google Maps = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh\5.2.3_0\
CHR - Extension: Quick Note = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\mijlebbfndhelmdpmllgcfadlkankhok\1.2.9_0\
CHR - Extension: Keyboard Shortcuts to Reorder Tabs = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\moigagbiaanpboaflikhdhgdfiifdodd\1.6_0\
CHR - Extension: FreshStart - Cross Browser Session Manager = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmidkjogcjnnlfimjcedenagjfacpobb\1.5.4_0\
CHR - Extension: Diigo: Bookmark, Archive, Highlight & Sticky-Note = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\oojbgadfejifecebmdnhhkbhdjaphole\1.6.8_0\
CHR - Extension: Diigo: Bookmark, Archive, Highlight & Sticky-Note = C:\Users\Scribe\AppData\Local\Google\Chrome\User Data\Default\Extensions\oojbgadfejifecebmdnhhkbhdjaphole\1.6.9_0\

O1 HOSTS File: ([2012/02/14 12:35:29 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [combofix] C:\123\CF32068.3XE (Microsoft Corporation)
O4 - HKLM..\Run: [Everything] C:\Program Files\Everything\Everything.exe ()
O4 - HKLM..\Run: [KeePass 2 PreLoad] C:\Program Files\KeePass Password Safe 2\KeePass.exe (Dominik Reichl)
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [NcpBudgetGui] C:\Program Files\WatchGuard\Mobile VPN\NcpBudgetGui.exe ()
O4 - HKLM..\Run: [NcpMonitor] C:\Program Files\WatchGuard\Mobile VPN\NCPMON.exe (NCP engineering GmbH)
O4 - HKLM..\Run: [NcpPopup] C:\Program Files\WatchGuard\Mobile VPN\ncppopup.exe ()
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKU\.DEFAULT..\Run: [vnet] C:\Program Files\dropped.exe ( Acoustica Inc.)
O4 - HKU\S-1-5-18..\Run: [vnet] C:\Program Files\dropped.exe ( Acoustica Inc.)
O4 - HKU\S-1-5-21-2260156883-991823328-3405992824-1000..\Run: [Steam] C:\Program Files\Steam\steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-2260156883-991823328-3405992824-1000..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obryu.exe (Narver)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obryu.exe (Narver)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2260156883-991823328-3405992824-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2260156883-991823328-3405992824-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - %SystemRoot%\System32\winrnr.dll File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/14 17:26:22 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Scribe\Desktop\OTL.exe
[2012/02/14 12:35:26 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/02/14 12:35:26 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Local\temp
[2012/02/14 12:10:44 | 000,000,000 | --SD | C] -- C:\123
[2012/02/14 12:07:43 | 004,403,246 | R--- | C] (Swearware) -- C:\Users\Scribe\Desktop\123.exe
[2012/02/14 12:06:03 | 002,061,360 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Scribe\Desktop\TDSSKiller.exe
[2012/02/07 07:51:58 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Scribe\Desktop\dds.scr
[2012/02/07 07:32:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/02/07 06:46:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2012/02/07 06:29:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Agent Ransack
[2012/02/07 06:29:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mythicsoft
[2012/02/07 06:21:37 | 003,086,632 | ---- | C] ( ) -- C:\Users\Scribe\Desktop\agentran.exe
[2012/02/07 06:09:47 | 000,078,832 | ---- | C] (ESET spol. s r.o.) -- C:\Users\Scribe\Desktop\ESETIRCBotANRCleaner.exe
[2012/02/07 05:52:07 | 000,123,712 | ---- | C] (ESET) -- C:\Users\Scribe\Desktop\ESETSirefefRemover.exe
[2012/02/07 05:51:41 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Malwarebytes
[2012/02/07 05:51:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/02/07 05:33:42 | 000,187,464 | ---- | C] (Webroot) -- C:\Users\Scribe\Desktop\antizeroaccess.exe
[2012/02/06 06:39:17 | 000,000,000 | ---D | C] -- C:\Users\Scribe\Desktop\c2
[2012/02/06 04:23:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/06 04:23:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/06 04:23:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/06 04:23:22 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/06 04:23:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/06 04:12:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/02/06 04:12:55 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/02/06 01:10:56 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012/02/06 01:01:00 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2012/02/06 01:00:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2012/02/05 13:09:07 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Qediut
[2012/02/05 12:54:07 | 000,000,000 | ---D | C] -- C:\Users\Scribe\Desktop\Illegal Eviction videos
[2012/02/04 10:27:18 | 000,192,512 | ---- | C] ( Acoustica Inc.) -- C:\Program Files\dropped.exe
[2012/02/04 10:07:59 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\mIRC
[2012/02/03 03:54:58 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Local\Forget-Me-Not
[2012/02/02 08:23:11 | 000,000,000 | ---D | C] -- C:\Users\Scribe\Documents\codecademy
[2012/02/02 04:26:50 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Local\smuxi
[2012/02/02 04:24:40 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\smuxi
[2012/02/02 04:22:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smuxi
[2012/02/02 04:22:50 | 000,000,000 | ---D | C] -- C:\Program Files\Smuxi
[2012/02/02 04:21:29 | 000,000,000 | ---D | C] -- C:\Program Files\GtkSharp
[2012/02/01 19:49:23 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Miranda IM
[2012/02/01 18:03:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spaz
[2012/02/01 18:03:27 | 000,000,000 | ---D | C] -- C:\Program Files\Spaz
[2012/02/01 18:02:17 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Spaz.AIR.16CB261D461B1CA2027F7C39946115FA2DC8CD7F.1
[2012/01/26 12:12:01 | 000,000,000 | ---D | C] -- C:\Users\Scribe\vimfiles
[2012/01/24 12:58:42 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\HackSlashLoot
[2012/01/22 07:31:57 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Twine 1.3.5
[2012/01/22 07:31:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Twine 1.3.5
[2012/01/22 07:31:56 | 000,000,000 | ---D | C] -- C:\Program Files\Twine
[2012/01/21 15:40:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vim 7.3
[2012/01/21 15:39:58 | 000,000,000 | ---D | C] -- C:\Program Files\Vim
[2012/01/20 11:58:44 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\REBOL
[2012/01/20 11:58:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\REBOL
[2012/01/20 11:58:44 | 000,000,000 | ---D | C] -- C:\Program Files\rebol
[2012/01/20 11:58:09 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\rebol
[2012/01/19 14:08:50 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yume Nikki 0.10 English v3
[2012/01/19 07:44:25 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Apple Computer
[2012/01/19 07:17:46 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ContextFree
[2012/01/19 07:17:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ContextFree
[2012/01/19 07:17:34 | 000,000,000 | ---D | C] -- C:\Program Files\OzoneSoft
[2012/01/19 01:29:33 | 000,314,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webio.dll
[2012/01/19 01:29:33 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sspisrv.dll
[2012/01/18 17:58:04 | 000,000,000 | ---D | C] -- C:\Users\Scribe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EDXOR
[2012/01/18 17:58:00 | 000,000,000 | ---D | C] -- C:\Program Files\Edxor
[2012/01/18 01:50:13 | 000,000,000 | ---D | C] -- C:\Users\Scribe\pentadactyl
[2012/01/17 01:46:02 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2012/01/16 09:05:36 | 000,000,000 | ---D | C] -- C:\Users\Scribe\vimperator
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/14 17:28:34 | 000,664,320 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/14 17:28:34 | 000,125,056 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/14 17:24:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/14 17:24:34 | 1603,084,288 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/14 17:13:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Scribe\Desktop\OTL.exe
[2012/02/14 14:56:24 | 000,009,550 | ---- | M] () -- C:\Users\Scribe\_viminfo
[2012/02/14 13:08:27 | 000,019,968 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/14 13:08:27 | 000,019,968 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/14 12:35:29 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/02/14 12:33:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2260156883-991823328-3405992824-1000UA.job
[2012/02/14 12:24:25 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At26.job
[2012/02/14 12:24:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At25.job
[2012/02/14 12:08:00 | 004,403,246 | R--- | M] (Swearware) -- C:\Users\Scribe\Desktop\123.exe
[2012/02/14 12:03:09 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/11 16:59:22 | 002,061,360 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Scribe\Desktop\TDSSKiller.exe
[2012/02/08 06:38:39 | 000,001,578 | ---- | M] () -- C:\Users\Scribe\.emacs-places
[2012/02/08 06:24:36 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At14.job
[2012/02/08 06:24:34 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At13.job
[2012/02/08 05:24:33 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At12.job
[2012/02/08 05:24:29 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At11.job
[2012/02/08 04:24:28 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At10.job
[2012/02/08 04:24:27 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At9.job
[2012/02/08 03:24:50 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At8.job
[2012/02/08 03:24:47 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At7.job
[2012/02/08 02:24:51 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At6.job
[2012/02/08 02:24:51 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At5.job
[2012/02/08 01:24:47 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012/02/08 01:24:33 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At4.job
[2012/02/08 00:25:07 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012/02/08 00:25:07 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/02/07 13:24:26 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At28.job
[2012/02/07 13:24:24 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At27.job
[2012/02/07 11:29:36 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At23.job
[2012/02/07 11:29:35 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At24.job
[2012/02/07 10:30:12 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At22.job
[2012/02/07 10:30:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At21.job
[2012/02/07 09:24:51 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At20.job
[2012/02/07 09:24:26 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At19.job
[2012/02/07 08:31:33 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At18.job
[2012/02/07 08:31:33 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At17.job
[2012/02/07 07:45:46 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Scribe\Desktop\dds.scr
[2012/02/07 07:41:34 | 000,000,000 | ---- | M] () -- C:\Users\Scribe\defogger_reenable
[2012/02/07 07:24:37 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At15.job
[2012/02/07 07:24:33 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At16.job
[2012/02/07 07:02:51 | 000,338,944 | ---- | M] () -- C:\Windows\System32\drivers\afd.sys.vir
[2012/02/07 06:32:42 | 000,007,612 | ---- | M] () -- C:\Users\Scribe\AppData\Local\Resmon.ResmonCfg
[2012/02/07 06:29:25 | 003,086,632 | ---- | M] ( ) -- C:\Users\Scribe\Desktop\agentran.exe
[2012/02/07 06:09:48 | 000,078,832 | ---- | M] (ESET spol. s r.o.) -- C:\Users\Scribe\Desktop\ESETIRCBotANRCleaner.exe
[2012/02/07 05:54:42 | 000,187,904 | ---- | M] () -- C:\Windows\System32\drivers\netbt.sys.vir
[2012/02/07 05:52:07 | 000,123,712 | ---- | M] (ESET) -- C:\Users\Scribe\Desktop\ESETSirefefRemover.exe
[2012/02/07 05:33:46 | 000,187,464 | ---- | M] (Webroot) -- C:\Users\Scribe\Desktop\antizeroaccess.exe
[2012/02/07 05:15:07 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At48.job
[2012/02/07 05:15:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At37.job
[2012/02/07 05:14:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At40.job
[2012/02/07 05:14:56 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2260156883-991823328-3405992824-1000Core.job
[2012/02/07 05:14:50 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At32.job
[2012/02/07 05:14:49 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At44.job
[2012/02/07 05:14:48 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At35.job
[2012/02/07 05:14:35 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At42.job
[2012/02/07 05:14:11 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At36.job
[2012/02/07 05:14:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At33.job
[2012/02/07 05:13:57 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012/02/07 05:13:12 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At34.job
[2012/02/07 05:12:59 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At47.job
[2012/02/07 05:12:24 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At38.job
[2012/02/07 05:12:10 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At39.job
[2012/02/07 05:11:49 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At46.job
[2012/02/07 05:11:28 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At31.job
[2012/02/07 05:11:14 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012/02/07 05:11:14 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012/02/06 14:52:40 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At30.job
[2012/02/06 14:52:40 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At29.job
[2012/02/06 11:35:18 | 000,003,241 | ---- | M] () -- C:\Users\Scribe\.emacs
[2012/02/06 04:12:56 | 000,002,969 | ---- | M] () -- C:\Users\Scribe\Desktop\HiJackThis.lnk
[2012/02/06 01:10:34 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012/02/06 01:03:53 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/02/06 01:03:53 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/02/06 00:26:29 | 000,111,616 | ---- | M] () -- C:\Windows\System32\rtIif1d.com_
[2012/02/06 00:26:29 | 000,111,616 | ---- | M] () -- C:\Windows\System32\rtIif1d.com
[2012/02/06 00:26:29 | 000,000,112 | ---- | M] () -- C:\ProgramData\3kL8H0.dat
[2012/02/05 23:25:59 | 000,456,784 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/05 12:34:22 | 000,265,096 | ---- | M] () -- C:\Users\Scribe\Desktop\ukpga_19770043_en.pdf
[2012/02/04 10:52:23 | 000,300,666 | ---- | M] () -- C:\Users\Scribe\AppData\Local\census.cache
[2012/02/04 10:51:53 | 000,133,521 | ---- | M] () -- C:\Users\Scribe\AppData\Local\ars.cache
[2012/02/04 10:29:35 | 000,000,036 | ---- | M] () -- C:\Users\Scribe\AppData\Local\housecall.guid.cache
[2012/02/04 10:27:11 | 000,192,512 | ---- | M] ( Acoustica Inc.) -- C:\Program Files\dropped.exe
[2012/02/04 10:16:23 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/02/04 08:50:56 | 000,495,460 | ---- | M] () -- C:\Users\Scribe\Desktop\Deposit_Recovery_Pack.pdf
[2012/02/02 16:13:14 | 000,718,246 | ---- | M] () -- C:\Users\Scribe\Documents\peds.2011-2102.full.pdf
[2012/02/02 04:22:51 | 000,000,786 | ---- | M] () -- C:\Users\Public\Desktop\Smuxi.lnk
[2012/02/02 04:05:01 | 000,006,708 | ---- | M] () -- C:\Users\Scribe\Desktop\Jquery-starterkit.zip
[2012/02/01 18:03:31 | 000,000,804 | ---- | M] () -- C:\Users\Public\Desktop\Spaz.lnk
[2012/01/30 02:54:54 | 000,248,235 | ---- | M] () -- C:\Users\Scribe\Desktop\jquery-1.7.1.js
[2012/01/29 23:15:13 | 000,000,535 | ---- | M] () -- C:\Users\Scribe\_vimperatorrc
[2012/01/27 14:21:06 | 000,000,835 | ---- | M] () -- C:\Users\Scribe\Desktop\test.htm
[2012/01/27 00:21:24 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2012/01/25 11:38:15 | 002,524,959 | ---- | M] () -- C:\Users\Scribe\Documents\random_tales_mobile_hacker.pdf
[2012/01/24 23:57:32 | 000,000,713 | ---- | M] () -- C:\Users\Scribe\Desktop\jquery-shuffle.js
[2012/01/21 15:40:08 | 000,000,987 | ---- | M] () -- C:\Windows\gvimdiff.bat
[2012/01/21 15:40:08 | 000,000,987 | ---- | M] () -- C:\Windows\gview.bat
[2012/01/21 15:40:08 | 000,000,987 | ---- | M] () -- C:\Windows\evim.bat
[2012/01/21 15:40:08 | 000,000,979 | ---- | M] () -- C:\Windows\gvim.bat
[2012/01/21 15:40:08 | 000,000,688 | ---- | M] () -- C:\Windows\vimtutor.bat
[2012/01/21 15:40:08 | 000,000,662 | ---- | M] () -- C:\Windows\vimdiff.bat
[2012/01/21 15:40:08 | 000,000,662 | ---- | M] () -- C:\Windows\view.bat
[2012/01/21 15:40:08 | 000,000,658 | ---- | M] () -- C:\Windows\vim.bat
[2012/01/21 15:35:36 | 000,000,092 | ---- | M] () -- C:\Users\Scribe\AppData\Roaming\.emacs-places
[2012/01/20 15:53:41 | 039,717,096 | ---- | M] () -- C:\Users\Scribe\Desktop\features021.mp3
[2012/01/20 11:58:44 | 000,001,071 | ---- | M] () -- C:\Users\Scribe\Desktop\REBOL View.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/14 12:24:28 | 000,111,616 | ---- | C] () -- C:\Windows\System32\rtIif1d.com
[2012/02/07 07:41:34 | 000,000,000 | ---- | C] () -- C:\Users\Scribe\defogger_reenable
[2012/02/07 07:02:51 | 000,338,944 | ---- | C] () -- C:\Windows\System32\drivers\afd.sys.vir
[2012/02/07 06:18:37 | 000,302,592 | ---- | C] () -- C:\Users\Scribe\Desktop\gmer.exe
[2012/02/07 06:02:58 | 000,007,612 | ---- | C] () -- C:\Users\Scribe\AppData\Local\Resmon.ResmonCfg
[2012/02/07 05:54:42 | 000,187,904 | ---- | C] () -- C:\Windows\System32\drivers\netbt.sys.vir
[2012/02/06 04:23:28 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/06 04:23:28 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/06 04:23:28 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/06 04:23:28 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/06 04:23:28 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/06 04:12:56 | 000,002,969 | ---- | C] () -- C:\Users\Scribe\Desktop\HiJackThis.lnk
[2012/02/06 01:03:53 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2012/02/06 01:03:53 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2012/02/05 23:17:20 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
[2012/02/05 23:10:26 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At48.job
[2012/02/05 23:10:25 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At47.job
[2012/02/05 23:10:23 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At46.job
[2012/02/05 23:10:21 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At45.job
[2012/02/05 23:10:19 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At44.job
[2012/02/05 23:10:18 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At43.job
[2012/02/05 23:10:16 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At42.job
[2012/02/05 23:10:14 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At41.job
[2012/02/05 23:10:12 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At40.job
[2012/02/05 23:10:10 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At39.job
[2012/02/05 23:10:10 | 000,000,112 | ---- | C] () -- C:\ProgramData\3kL8H0.dat
[2012/02/05 23:10:09 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At38.job
[2012/02/05 23:10:07 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At37.job
[2012/02/05 23:10:05 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At36.job
[2012/02/05 23:10:02 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At35.job
[2012/02/05 23:09:58 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At34.job
[2012/02/05 23:09:53 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At33.job
[2012/02/05 23:09:49 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At32.job
[2012/02/05 23:09:45 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At31.job
[2012/02/05 23:09:39 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At30.job
[2012/02/05 23:09:23 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At29.job
[2012/02/05 13:13:02 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At28.job
[2012/02/05 13:12:49 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At27.job
[2012/02/05 13:12:34 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At26.job
[2012/02/05 13:12:09 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At25.job
[2012/02/05 13:11:58 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At24.job
[2012/02/05 13:11:43 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At23.job
[2012/02/05 13:11:24 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At22.job
[2012/02/05 13:11:11 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At21.job
[2012/02/05 13:11:07 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At20.job
[2012/02/05 13:11:01 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At19.job
[2012/02/05 13:10:58 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At18.job
[2012/02/05 13:10:57 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At17.job
[2012/02/05 13:10:56 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At16.job
[2012/02/05 13:10:53 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At15.job
[2012/02/05 13:10:52 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At14.job
[2012/02/05 13:10:51 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At13.job
[2012/02/05 13:10:50 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At12.job
[2012/02/05 13:10:46 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At11.job
[2012/02/05 13:10:42 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At10.job
[2012/02/05 13:10:38 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At9.job
[2012/02/05 13:10:29 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At8.job
[2012/02/05 13:10:01 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At7.job
[2012/02/05 13:09:48 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At6.job
[2012/02/05 13:09:37 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At5.job
[2012/02/05 13:09:22 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At4.job
[2012/02/05 13:09:16 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At3.job
[2012/02/05 13:09:06 | 000,000,350 | ---- | C] () -- C:\Windows\tasks\At2.job
[2012/02/05 13:08:59 | 000,000,348 | ---- | C] () -- C:\Windows\tasks\At1.job
[2012/02/05 13:08:58 | 000,111,616 | ---- | C] () -- C:\Windows\System32\rtIif1d.com_
[2012/02/05 12:34:22 | 000,265,096 | ---- | C] () -- C:\Users\Scribe\Desktop\ukpga_19770043_en.pdf
[2012/02/04 10:52:23 | 000,300,666 | ---- | C] () -- C:\Users\Scribe\AppData\Local\census.cache
[2012/02/04 10:51:53 | 000,133,521 | ---- | C] () -- C:\Users\Scribe\AppData\Local\ars.cache
[2012/02/04 10:29:35 | 000,000,036 | ---- | C] () -- C:\Users\Scribe\AppData\Local\housecall.guid.cache
[2012/02/04 08:50:34 | 000,495,460 | ---- | C] () -- C:\Users\Scribe\Desktop\Deposit_Recovery_Pack.pdf
[2012/02/02 16:13:12 | 000,718,246 | ---- | C] () -- C:\Users\Scribe\Documents\peds.2011-2102.full.pdf
[2012/02/02 04:22:51 | 000,000,786 | ---- | C] () -- C:\Users\Public\Desktop\Smuxi.lnk
[2012/02/02 04:05:00 | 000,006,708 | ---- | C] () -- C:\Users\Scribe\Desktop\Jquery-starterkit.zip
[2012/02/01 18:03:31 | 000,000,804 | ---- | C] () -- C:\Users\Public\Desktop\Spaz.lnk
[2012/01/30 02:54:38 | 000,248,235 | ---- | C] () -- C:\Users\Scribe\Desktop\jquery-1.7.1.js
[2012/01/25 11:37:48 | 002,524,959 | ---- | C] () -- C:\Users\Scribe\Documents\random_tales_mobile_hacker.pdf
[2012/01/24 23:57:22 | 000,000,713 | ---- | C] () -- C:\Users\Scribe\Desktop\jquery-shuffle.js
[2012/01/23 16:59:00 | 000,000,835 | ---- | C] () -- C:\Users\Scribe\Desktop\test.htm
[2012/01/21 15:41:44 | 000,009,550 | ---- | C] () -- C:\Users\Scribe\_viminfo
[2012/01/21 15:40:08 | 000,000,987 | ---- | C] () -- C:\Windows\gvimdiff.bat
[2012/01/21 15:40:08 | 000,000,987 | ---- | C] () -- C:\Windows\gview.bat
[2012/01/21 15:40:08 | 000,000,987 | ---- | C] () -- C:\Windows\evim.bat
[2012/01/21 15:40:08 | 000,000,979 | ---- | C] () -- C:\Windows\gvim.bat
[2012/01/21 15:40:08 | 000,000,688 | ---- | C] () -- C:\Windows\vimtutor.bat
[2012/01/21 15:40:08 | 000,000,662 | ---- | C] () -- C:\Windows\vimdiff.bat
[2012/01/21 15:40:08 | 000,000,662 | ---- | C] () -- C:\Windows\view.bat
[2012/01/21 15:40:08 | 000,000,658 | ---- | C] () -- C:\Windows\vim.bat
[2012/01/20 15:53:39 | 039,717,096 | ---- | C] () -- C:\Users\Scribe\Desktop\features021.mp3
[2012/01/20 11:58:44 | 000,001,071 | ---- | C] () -- C:\Users\Scribe\Desktop\REBOL View.lnk
[2012/01/18 01:46:35 | 000,000,535 | ---- | C] () -- C:\Users\Scribe\_vimperatorrc
[2011/12/26 10:26:38 | 000,000,092 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\.emacs-places
[2011/12/21 16:59:05 | 000,000,213 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\diary
[2011/12/21 16:59:05 | 000,000,164 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\diary~
[2011/12/19 18:02:56 | 000,000,083 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\en.pws
[2011/12/19 18:02:56 | 000,000,025 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\en.prepl
[2011/11/23 15:43:47 | 000,000,535 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\.emacs
[2011/10/02 12:21:07 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/10/02 12:19:41 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/05/26 18:16:24 | 000,022,152 | ---- | C] () -- C:\Windows\System32\driver-flasher-3.5.exe
[2010/05/26 14:32:33 | 000,000,581 | ---- | C] () -- C:\Windows\System32\dsoud1.dll
[2010/05/26 11:50:07 | 000,013,235 | ---- | C] () -- C:\Windows\System32\dsoudd.dll
[2010/05/24 08:41:56 | 000,065,536 | ---- | C] () -- C:\Windows\System32\HPPLVS.dll
[2010/05/16 00:41:28 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010/05/15 08:25:03 | 000,000,629 | ---- | C] () -- C:\Users\Scribe\AppData\Roaming\AutoGK.ini
[2010/05/14 02:46:11 | 000,043,698 | ---- | C] () -- C:\Windows\System32\xvid-uninstall.exe
[2010/01/24 12:42:01 | 000,106,496 | ---- | C] () -- C:\Windows\stkbtnpn.dll
[2009/07/14 04:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:33:53 | 000,456,784 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 02:05:48 | 000,664,320 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 02:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 02:05:48 | 000,125,056 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 02:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 02:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 02:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 23:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2009/02/09 07:24:02 | 001,497,696 | ---- | C] () -- C:\Windows\System32\tkbtnpn1.dll
[2009/01/25 21:10:48 | 000,179,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/01/08 23:01:22 | 000,629,760 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2002/10/15 22:54:04 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== Custom Scans ==========


< %systemroot%\*. /rp /s >


< MD5 for: TDX.SYS >
[2012/02/06 06:30:51 | 000,074,752 | ---- | M] () MD5=AE9E96679923DF875047FD1D35813ACD -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
[2010/11/20 08:39:17 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=B459575348C20E8121D6039DA063C704 -- C:\Windows\ERDNT\cache\tdx.sys
[2012/02/07 06:03:25 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=B459575348C20E8121D6039DA063C704 -- C:\Windows\System32\drivers\tdx.sys
[2009/07/13 23:12:11 | 000,074,240 | ---- | M] (Microsoft Corporation) MD5=CB39E896A2A83702D1737BFD402B3542 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\$NtUninstallKB4094$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

#14 blooping

blooping
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 14 February 2012 - 01:41 PM

--edit--
Double post :/

Edited by blooping, 14 February 2012 - 01:51 PM.


#15 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:23 PM

Posted 14 February 2012 - 01:53 PM

Good spot :thumbup2:

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :process
    killallprocesses
    
    :files
    C:\Windows\System32\drivers\tdx.sys|C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys /replace
    C:\Windows\$NtUninstallKB4094$\3522825637   
    C:\Windows\$NtUninstallKB4094$\41815424  
    
    :commands
    [CREATERESTOREPOINT]
    [REBOOT]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users