Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP: Rootkit Infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 confidoboyd

confidoboyd

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 19 February 2012 - 06:04 PM

Hello,

I've recently acquired a rootkit infection that was identified by combofix, but it couldn't take care of the problem itself. The virus is constantly being blocked by malwarebytes from accessing a string of malicious IPs. Here's the latest combofix log:


====================
ComboFix 12-02-17.02 - mwalsh 12-02-19 5:47.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.344 [GMT -5:00]
Running from: c:\documents and settings\mwalsh\Desktop\ComboFix.exe
AV: AVG 7.5.516 *Enabled/Outdated* {41564737-3200-1071-989B-0000E87B4FB1}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB33335$\3909839676\Desktop.ini
c:\windows\$NtUninstallKB33335$\692661463
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\system32\dllcache\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-19 11:00 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-19 09:57 . 2006-05-05 10:16 454400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-19 02:10 . 2012-02-19 10:00 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-22 20:05 . 2012-01-22 20:05 -------- d-----w- c:\documents and settings\mwalsh\Application Data\Mozilla-Cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-10 03:52 . 2012-01-10 03:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2010-11-10 18:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2007-10-30 . D1E0A099360A7AC279D883B057AB58A5 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-06-04 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-03-19 184320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-03-19 212992]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mwalsh^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\mwalsh\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\111.exe]
c:\program files\LP\EF05\111.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dplaysvr]
c:\documents and settings\mwalsh\Application Data\dplaysvr.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
c:\program files\Google\Google Talk\googletalk.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Driver]
csrs.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security]
c:\documents and settings\All Users\Application Data\isecurity.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver AutoDB]
2004-09-10 04:06 1040384 ----a-w- c:\program files\iRiver\Service\MLService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-09-07 23:09 212992 ----a-w- c:\program files\iRiver\Service\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeApplet]
c:\documents and settings\mwalsh\Application Data\Media Player Classic\{165498BC-8DB8-4797-B336-162F81D41157}\renovator.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
c:\windows\system32\NeroCheck.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PocketCloud Location]
c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
c:\program files\Real\RealPlayer\RealPlay.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RogersAgent]
c:\program files\Rogers\SelfHealing\rogersagent.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
c:\program files\TightVNC\tvnserver.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
c:\program files\Veoh Networks\Veoh\VeohClient.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\mwalsh\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\mwalsh\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10-11-10 1:54 PM 652360]
R2 npf;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [09-03-15 3:13 PM 34064]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [10-11-10 1:54 PM 20464]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 MLFILEM;MLFILEM;c:\windows\SYSTEM32\DRIVERS\MLFILEM.SYS [05-05-12 9:31 PM 28160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
OEM02Dev
processor
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.cnn.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
FF - ProfilePath - c:\documents and settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com/index.html
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Last tab close button: last-tab-close-button@victor.sacharin - %profile%\extensions\last-tab-close-button@victor.sacharin
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FF - Ext: XULRunner: {BBF2F2E9-162E-4854-993D-4FB6AA2A4179} - c:\documents and settings\mwalsh\Local Settings\Application Data\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-19 06:03
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB33335$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2000)
c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2012-02-19 06:10:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-19 11:10
ComboFix2.txt 2012-02-19 10:30
ComboFix3.txt 2010-11-10 18:48
ComboFix4.txt 2010-11-10 00:50
ComboFix5.txt 2012-02-19 10:35
.
Pre-Run: 11,699,261,440 bytes free
Post-Run: 11,701,301,248 bytes free
.
- - End Of File - - 89D7B4342B7B4A15F1ECF3D3DFE3940D
==================

I would appreciate any help.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 19 February 2012 - 06:08 PM

Hi

Please do the following:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • As we are only looking for a log of what is on the machine right now > choose to skip whatever is found
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Edited by CatByte, 19 February 2012 - 07:39 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 19 February 2012 - 07:08 PM

Hi,

I believe I followed the steps to the letter but there was no extras log created, only an OTL. TDSSKiller identified a problem and supposedly cured it but Malwarebytes is still constantly putting up the warning that its blocking malicious IPs.

OTL Log
----------
OTL logfile created on: 12-02-19 6:18:46 PM - Run 2
OTL by OldTimer - Version 3.2.33.0 Folder = C:\Documents and Settings\mwalsh\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yy-MM-dd

509.98 Mb Total Physical Memory | 183.59 Mb Available Physical Memory | 36.00% Memory free
1.22 Gb Paging File | 0.96 Gb Available in Paging File | 78.45% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.43 Gb Total Space | 58.75 Gb Free Space | 82.26% Space Free | Partition Type: NTFS
Drive D: | 678.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 665.70 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive G: | 1396.61 Gb Total Space | 377.60 Gb Free Space | 27.04% Space Free | Partition Type: NTFS

Computer Name: MWALSH | User Name: mwalsh | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-02-19 18:17:45 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mwalsh\Desktop\OTL.exe
PRC - [2012-01-13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012-01-13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2004-08-04 05:00:00 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2004-08-04 05:00:00 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (OEM02Dev)
SRV - File not found [Auto | Stopped] -- -- (AVGEMS)
SRV - File not found [Auto | Stopped] -- -- (Avg7UpdSvc)
SRV - File not found [Auto | Stopped] -- -- (Avg7Alrt)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012-01-13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010-03-08 17:45:09 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\3c1807pd.dll -- (processor)


========== Driver Services (SafeList) ==========

DRV - [2011-12-10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2011-06-02 10:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009-03-15 15:13:10 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys -- (npf)
DRV - [2007-12-27 16:19:26 | 000,010,760 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgclean.sys -- (AvgClean)
DRV - [2007-10-27 15:49:19 | 000,821,856 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avg7core.sys -- (Avg7Core)
DRV - [2007-03-12 22:46:07 | 000,004,960 | ---- | M] (GRISOFT, s.r.o.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\avgtdi.sys -- (AvgTdi)
DRV - [2007-03-12 22:46:06 | 000,027,776 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avg7rsxp.sys -- (Avg7RsXP)
DRV - [2007-03-12 22:46:05 | 000,004,224 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avg7rsw.sys -- (Avg7RsW)
DRV - [2006-06-21 10:47:36 | 000,015,488 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\tbhsd.sys -- (tbhsd)
DRV - [2004-09-17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004-09-07 17:38:09 | 000,028,160 | ---- | M] (Moodlogic Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MLFILEM.SYS -- (MLFILEM)
DRV - [2004-08-04 05:00:00 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKIPX.SYS -- (NwlnkIpx)
DRV - [2004-08-04 05:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKNB.SYS -- (NwlnkNb)
DRV - [2004-08-04 05:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKSPX.SYS -- (NwlnkSpx)
DRV - [2004-06-15 22:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004-03-05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004-03-05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004-03-05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

IE - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http:/www.cnn.com
IE - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "www.cnn.com/index.html"
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {BBF2F2E9-162E-4854-993D-4FB6AA2A4179}:1.9.1
FF - prefs.js..extensions.enabledItems: last-tab-close-button@victor.sacharin:0.3.4
FF - prefs.js..extensions.enabledItems: {3205B348-523A-4fac-9BC4-9939CBF583B0}:2.1.6
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: VacuumPlacesImproved@lultimouomo-gmail.com:1.2
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.652
FF - prefs.js..extensions.enabledItems: {5384767E-00D9-40E9-B72F-9CC39D655D6F}:1.4.1.1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll File not found
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{5CF93A1E-CB0A-4FA6-9B75-FCDB7C2BBECA}: C:\Documents and Settings\mwalsh\Local Settings\Application Data\{5CF93A1E-CB0A-4FA6-9B75-FCDB7C2BBECA}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}: C:\Documents and Settings\mwalsh\Local Settings\Application Data\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179} [2010-07-12 23:13:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-02-04 16:44:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-02-01 16:58:16 | 000,000,000 | ---D | M]

[2008-08-27 13:47:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Extensions
[2012-02-19 04:37:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions
[2011-07-04 21:41:49 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2011-07-04 21:41:51 | 000,000,000 | ---D | M] (Old Location Bar) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
[2012-02-13 20:07:52 | 000,000,000 | ---D | M] (EPUBReader) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
[2011-07-04 21:41:51 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011-07-04 21:41:50 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011-07-04 21:41:50 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008-07-20 20:41:30 | 000,000,000 | ---D | M] (ConquerTell) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\conquertell@jonducrou
[2010-08-17 16:41:06 | 000,000,000 | ---D | M] (TVU Web Player) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\firefox@tvunetworks.com
[2011-07-04 21:41:51 | 000,000,000 | ---D | M] (Last tab close button) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\last-tab-close-button@victor.sacharin
[2011-04-26 00:53:22 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\LogMeInClient@logmein.com
[2011-02-05 12:22:34 | 000,000,000 | ---D | M] (Vacuum Places Improved) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
[2010-08-28 21:36:16 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\vshare@toolbar
[2012-02-18 19:49:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011-01-03 17:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010-07-12 23:13:13 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\MWALSH\LOCAL SETTINGS\APPLICATION DATA\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}
[2011-01-03 17:17:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010-11-10 19:00:50 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005-12-05 21:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2007-08-20 22:20:28 | 000,159,744 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll

Hosts file not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\nwprovau.dll File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D2F5E465-9871-47AD-A9A4-1862BDF782B9}: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\USERINIT.EXE (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\LocalService\Application Data\hotfix.exe) - File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Documents and Settings\LocalService\Application Data\hotfix.exe) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004-08-10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010-07-29 17:44:07 | 000,000,088 | R--- | M] () - F:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: OEM02Dev - File not found
NetSvcs: processor - C:\WINDOWS\SYSTEM32\3c1807pd.dll (Oak Technology Inc.)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012-02-19 18:17:43 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\mwalsh\Desktop\OTL.exe
[2012-02-19 18:12:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012-02-19 18:11:27 | 002,060,336 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\mwalsh\Desktop\TDSSKiller.exe
[2012-02-19 18:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\My Documents\Downloads
[2012-02-19 15:37:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012-02-19 06:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2012-02-19 06:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Application Data\SystemRequirementsLab
[2012-02-19 06:18:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2012-02-19 06:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Driver Detective
[2012-02-19 06:17:37 | 000,000,000 | ---D | C] -- C:\Program Files\PC Drivers HeadQuarters
[2012-02-19 06:10:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012-02-19 04:38:17 | 004,406,994 | R--- | C] (Swearware) -- C:\Documents and Settings\mwalsh\Desktop\ComboFix.exe
[2012-01-22 15:05:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Application Data\Mozilla-Cache
[2012-01-22 15:04:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Start Menu\Programs\PartyPoker
[2012-01-22 15:04:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Start Menu\Programs\Games
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012-02-19 18:28:53 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-02-19 18:17:45 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mwalsh\Desktop\OTL.exe
[2012-02-19 18:16:19 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012-02-19 18:15:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012-02-19 18:15:33 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2012-02-19 16:06:16 | 000,148,480 | ---- | M] () -- C:\Documents and Settings\mwalsh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012-02-19 15:08:43 | 000,219,248 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012-02-19 06:21:12 | 000,000,444 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012-02-19 04:38:21 | 004,406,994 | R--- | M] (Swearware) -- C:\Documents and Settings\mwalsh\Desktop\ComboFix.exe
[2012-02-18 22:34:34 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2012-02-18 22:12:22 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1SqF8Qvo.dat
[2012-02-18 21:32:58 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe_.b
[2012-02-18 21:32:58 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe.b
[2012-02-17 17:23:38 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012-02-15 19:34:16 | 002,060,336 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\mwalsh\Desktop\TDSSKiller.exe
[2012-01-22 15:04:37 | 000,001,668 | ---- | M] () -- C:\Documents and Settings\mwalsh\Application Data\Microsoft\Internet Explorer\Quick Launch\PartyPoker.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012-02-19 18:15:33 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2012-02-19 06:21:12 | 000,000,444 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012-02-18 22:32:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-02-18 21:32:58 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe_.b
[2012-02-18 21:32:58 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe.b
[2012-02-18 21:32:38 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1SqF8Qvo.dat
[2012-02-18 21:10:04 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012-01-22 15:04:37 | 000,001,668 | ---- | C] () -- C:\Documents and Settings\mwalsh\Application Data\Microsoft\Internet Explorer\Quick Launch\PartyPoker.lnk
[2010-12-31 16:52:25 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010-11-26 19:20:35 | 000,057,672 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010-11-08 23:08:09 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010-11-08 23:08:09 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010-11-08 23:08:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-11-08 23:08:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010-11-08 23:08:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010-07-13 01:11:48 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Jlobahemofivut.dat
[2010-07-13 01:11:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ycanuy.bin
[2008-04-29 19:07:08 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\mwalsh\Local Settings\Application Data\fusioncache.dat
[2008-01-27 09:10:08 | 000,012,346 | ---- | C] () -- C:\Documents and Settings\mwalsh\Application Data\ShortcutSettings.xml
[2005-11-04 23:05:18 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005-05-21 20:55:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\mwalsh\Application Data\sversion.ini
[2005-05-12 19:42:20 | 000,148,480 | ---- | C] () -- C:\Documents and Settings\mwalsh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2007-03-12 22:47:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2005-05-04 08:17:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011-04-26 00:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010-04-20 22:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MGS
[2005-05-12 22:06:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MoodLogic
[2011-04-12 00:41:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motorola
[2006-03-19 18:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2012-02-19 06:18:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2005-06-26 22:36:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010-12-31 17:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2011-01-18 21:10:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2007-03-12 22:46:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2011-04-04 01:22:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2006-11-15 22:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Aim
[2009-03-31 22:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\AVG7
[2009-01-06 07:24:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\deskUNPDF
[2012-02-18 18:18:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Dropbox
[2009-03-31 22:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\gtk-2.0
[2007-04-06 13:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Microgaming
[2008-08-27 21:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\NewsComponents
[2006-02-19 16:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Registry Defender
[2011-01-03 17:17:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\RssBandit
[2012-02-19 06:20:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\SystemRequirementsLab
[2006-10-16 22:38:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\tunebite
[2007-05-30 12:03:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Uniblue
[2012-02-18 03:04:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2007-06-13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
[2004-08-04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2012-01-13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004-08-04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\I386\SVCHOST.EXE
[2010-03-08 17:45:09 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\erdnt\cache\SVCHOST.EXE
[2010-03-08 17:45:09 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
[2010-03-08 17:45:09 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\SYSTEM32\SVCHOST.EXE

< MD5 for: USERINIT.EXE >
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\I386\USERINIT.EXE
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\erdnt\cache\USERINIT.EXE
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\SYSTEM32\DLLCACHE\userinit.exe
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\SYSTEM32\USERINIT.EXE

< MD5 for: WINLOGON.EXE >
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\I386\WINLOGON.EXE
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\erdnt\cache\WINLOGON.EXE
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SYSTEM32\WINLOGON.EXE
[2012-01-13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

< %systemroot%\*. /rp /s >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB33335$] -> Error: Cannot create file handle -> Unknown point type
[C:\WINDOWS\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\ASSEMBLY\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

========== Alternate Data Streams ==========

@Alternate Data Stream - 81 bytes -> C:\Program Files\Cake Poker:MID

< End of report >









TDSSKilller Log
---------------
18:59:28.0843 0344 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
18:59:30.0046 0344 ============================================================
18:59:30.0046 0344 Current date / time: 2012/02/19 18:59:30.0046
18:59:30.0046 0344 SystemInfo:
18:59:30.0046 0344
18:59:30.0046 0344 OS Version: 5.1.2600 ServicePack: 2.0
18:59:30.0046 0344 Product type: Workstation
18:59:30.0046 0344 ComputerName: MWALSH
18:59:30.0046 0344 UserName: mwalsh
18:59:30.0046 0344 Windows directory: C:\WINDOWS
18:59:30.0046 0344 System windows directory: C:\WINDOWS
18:59:30.0046 0344 Processor architecture: Intel x86
18:59:30.0046 0344 Number of processors: 1
18:59:30.0046 0344 Page size: 0x1000
18:59:30.0046 0344 Boot type: Normal boot
18:59:30.0046 0344 ============================================================
18:59:36.0343 0344 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:59:36.0390 0344 Drive \Device\Harddisk1\DR4 - Size: 0x15D27100000 (1396.61 Gb), SectorSize: 0x200, Cylinders: 0x2C82B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:59:36.0390 0344 \Device\Harddisk0\DR0:
18:59:36.0390 0344 MBR used
18:59:36.0390 0344 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8ED9D6C
18:59:36.0390 0344 \Device\Harddisk1\DR4:
18:59:36.0390 0344 MBR used
18:59:36.0390 0344 \Device\Harddisk1\DR4\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xAE938000
18:59:36.0562 0344 Initialize success
18:59:36.0562 0344 ============================================================
18:59:43.0015 0876 ============================================================
18:59:43.0015 0876 Scan started
18:59:43.0015 0876 Mode: Manual;
18:59:43.0015 0876 ============================================================
18:59:48.0125 0876 Abiosdsk - ok
18:59:48.0671 0876 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
18:59:48.0671 0876 abp480n5 - ok
18:59:49.0250 0876 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:59:49.0359 0876 ACPI - ok
18:59:49.0703 0876 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:59:49.0718 0876 ACPIEC - ok
18:59:50.0234 0876 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
18:59:50.0250 0876 adpu160m - ok
18:59:50.0875 0876 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
18:59:50.0875 0876 aec - ok
18:59:51.0343 0876 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
18:59:51.0359 0876 AFD - ok
18:59:51.0812 0876 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
18:59:51.0812 0876 agp440 - ok
18:59:52.0265 0876 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
18:59:52.0265 0876 agpCPQ - ok
18:59:52.0546 0876 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
18:59:52.0562 0876 Aha154x - ok
18:59:52.0937 0876 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
18:59:52.0937 0876 aic78u2 - ok
18:59:53.0265 0876 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
18:59:53.0265 0876 aic78xx - ok
18:59:53.0578 0876 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
18:59:53.0593 0876 AliIde - ok
18:59:53.0984 0876 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
18:59:53.0984 0876 alim1541 - ok
18:59:55.0140 0876 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
18:59:55.0140 0876 amdagp - ok
18:59:55.0546 0876 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
18:59:55.0546 0876 amsint - ok
18:59:55.0812 0876 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
18:59:55.0812 0876 asc - ok
18:59:56.0187 0876 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
18:59:56.0187 0876 asc3350p - ok
18:59:56.0421 0876 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
18:59:56.0421 0876 asc3550 - ok
18:59:56.0843 0876 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:59:56.0843 0876 AsyncMac - ok
18:59:57.0125 0876 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:59:57.0125 0876 atapi - ok
18:59:57.0484 0876 Atdisk - ok
18:59:57.0906 0876 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:59:57.0906 0876 Atmarpc - ok
18:59:58.0515 0876 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:59:58.0546 0876 audstub - ok
18:59:59.0187 0876 Avg7Core (400e920d2e3f42bf6f1f75dd1b069ce3) C:\WINDOWS\System32\Drivers\avg7core.sys
18:59:59.0421 0876 Avg7Core - ok
18:59:59.0968 0876 Avg7RsW (8a7e25876955e06142ef65b52c906cf1) C:\WINDOWS\System32\Drivers\avg7rsw.sys
18:59:59.0984 0876 Avg7RsW - ok
19:00:00.0437 0876 Avg7RsXP (04d823d681f0d53191a172c3e667fc33) C:\WINDOWS\System32\Drivers\avg7rsxp.sys
19:00:00.0437 0876 Avg7RsXP - ok
19:00:00.0968 0876 AvgClean (603dc17a48c65c637623a9bb5a5e6008) C:\WINDOWS\System32\Drivers\avgclean.sys
19:00:00.0984 0876 AvgClean - ok
19:00:01.0390 0876 AvgTdi (8fa5cdfa0d72befff5e9a36df50e13ec) C:\WINDOWS\System32\Drivers\avgtdi.sys
19:00:01.0390 0876 AvgTdi - ok
19:00:01.0984 0876 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:00:02.0000 0876 Beep - ok
19:00:02.0312 0876 BTCFilterService - ok
19:00:02.0859 0876 bvrp_pci - ok
19:00:03.0296 0876 catchme - ok
19:00:03.0531 0876 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
19:00:03.0531 0876 cbidf - ok
19:00:03.0765 0876 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:00:03.0765 0876 cbidf2k - ok
19:00:04.0015 0876 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
19:00:04.0015 0876 cd20xrnt - ok
19:00:04.0234 0876 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:00:04.0234 0876 Cdaudio - ok
19:00:04.0453 0876 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
19:00:04.0453 0876 Cdfs - ok
19:00:04.0718 0876 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:00:04.0718 0876 Cdrom - ok
19:00:04.0906 0876 Changer - ok
19:00:05.0125 0876 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
19:00:05.0125 0876 CmdIde - ok
19:00:05.0406 0876 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
19:00:05.0406 0876 Cpqarray - ok
19:00:05.0562 0876 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
19:00:05.0562 0876 cpudrv - ok
19:00:05.0796 0876 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
19:00:05.0796 0876 dac2w2k - ok
19:00:06.0031 0876 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
19:00:06.0046 0876 dac960nt - ok
19:00:06.0312 0876 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
19:00:06.0312 0876 Disk - ok
19:00:06.0578 0876 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
19:00:06.0609 0876 dmboot - ok
19:00:06.0859 0876 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
19:00:06.0859 0876 dmio - ok
19:00:07.0078 0876 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:00:07.0078 0876 dmload - ok
19:00:07.0312 0876 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
19:00:07.0312 0876 DMusic - ok
19:00:07.0562 0876 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
19:00:07.0562 0876 dpti2o - ok
19:00:07.0812 0876 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
19:00:07.0812 0876 drmkaud - ok
19:00:08.0093 0876 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:00:08.0093 0876 E100B - ok
19:00:08.0359 0876 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
19:00:08.0359 0876 Fastfat - ok
19:00:08.0531 0876 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:00:08.0531 0876 Fdc - ok
19:00:08.0687 0876 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
19:00:08.0687 0876 Fips - ok
19:00:08.0843 0876 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:00:08.0843 0876 Flpydisk - ok
19:00:09.0078 0876 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:00:09.0093 0876 FltMgr - ok
19:00:09.0328 0876 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:00:09.0328 0876 Fs_Rec - ok
19:00:09.0500 0876 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:00:09.0500 0876 Ftdisk - ok
19:00:09.0750 0876 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:00:09.0750 0876 Gpc - ok
19:00:09.0953 0876 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:00:09.0953 0876 HidUsb - ok
19:00:10.0218 0876 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
19:00:10.0234 0876 hpn - ok
19:00:10.0406 0876 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
19:00:10.0406 0876 HTTP - ok
19:00:10.0593 0876 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:00:10.0609 0876 i2omgmt - ok
19:00:10.0781 0876 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
19:00:10.0781 0876 i2omp - ok
19:00:10.0984 0876 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:00:10.0984 0876 i8042prt - ok
19:00:11.0203 0876 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:00:11.0234 0876 ialm - ok
19:00:11.0484 0876 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:00:11.0484 0876 Imapi - ok
19:00:11.0734 0876 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
19:00:11.0734 0876 ini910u - ok
19:00:11.0968 0876 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
19:00:12.0031 0876 IntelC51 - ok
19:00:12.0296 0876 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
19:00:12.0312 0876 IntelC52 - ok
19:00:12.0562 0876 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
19:00:12.0562 0876 IntelC53 - ok
19:00:12.0796 0876 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:00:12.0796 0876 IntelIde - ok
19:00:13.0031 0876 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:00:13.0031 0876 intelppm - ok
19:00:13.0265 0876 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:00:13.0265 0876 Ip6Fw - ok
19:00:13.0500 0876 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:00:13.0500 0876 IpFilterDriver - ok
19:00:13.0734 0876 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:00:13.0734 0876 IpInIp - ok
19:00:13.0968 0876 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:00:13.0968 0876 IpNat - ok
19:00:14.0234 0876 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:00:14.0234 0876 IPSec - ok
19:00:14.0437 0876 IPSECSHM - ok
19:00:14.0640 0876 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:00:14.0640 0876 IRENUM - ok
19:00:14.0875 0876 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:00:14.0875 0876 isapnp - ok
19:00:15.0109 0876 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:00:15.0109 0876 Kbdclass - ok
19:00:15.0312 0876 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:00:15.0312 0876 kbdhid - ok
19:00:15.0531 0876 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
19:00:15.0531 0876 kmixer - ok
19:00:15.0796 0876 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
19:00:15.0796 0876 KSecDD - ok
19:00:15.0984 0876 lbrtfdc - ok
19:00:16.0234 0876 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
19:00:16.0234 0876 MBAMProtector - ok
19:00:16.0500 0876 MLFILEM (3cc8d9e30b74fa973c52c2a93c114330) C:\WINDOWS\system32\drivers\MLFILEM.SYS
19:00:16.0500 0876 MLFILEM - ok
19:00:16.0734 0876 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:00:16.0734 0876 mnmdd - ok
19:00:16.0984 0876 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
19:00:16.0984 0876 Modem - ok
19:00:17.0171 0876 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:00:17.0187 0876 MODEMCSA - ok
19:00:17.0437 0876 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
19:00:17.0437 0876 mohfilt - ok
19:00:17.0609 0876 motccgp - ok
19:00:17.0750 0876 motccgpfl - ok
19:00:17.0906 0876 motmodem - ok
19:00:18.0046 0876 MotoSwitchService - ok
19:00:18.0203 0876 Motousbnet - ok
19:00:18.0359 0876 motusbdevice - ok
19:00:18.0578 0876 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:00:18.0578 0876 Mouclass - ok
19:00:18.0812 0876 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:00:18.0812 0876 mouhid - ok
19:00:19.0046 0876 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
19:00:19.0046 0876 MountMgr - ok
19:00:19.0296 0876 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
19:00:19.0296 0876 mraid35x - ok
19:00:19.0515 0876 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:00:19.0531 0876 MRxDAV - ok
19:00:19.0796 0876 MRxSmb (7412ce77c6fd823f8889b4df420c680b) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:00:19.0812 0876 MRxSmb - ok
19:00:20.0078 0876 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
19:00:20.0078 0876 Msfs - ok
19:00:20.0328 0876 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:00:20.0328 0876 MSKSSRV - ok
19:00:20.0562 0876 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:00:20.0562 0876 MSPCLOCK - ok
19:00:20.0796 0876 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
19:00:20.0796 0876 MSPQM - ok
19:00:21.0031 0876 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:00:21.0031 0876 mssmbios - ok
19:00:21.0203 0876 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
19:00:21.0203 0876 Mup - ok
19:00:21.0406 0876 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
19:00:21.0406 0876 NDIS - ok
19:00:21.0593 0876 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:00:21.0593 0876 NdisTapi - ok
19:00:21.0750 0876 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:00:21.0750 0876 Ndisuio - ok
19:00:21.0890 0876 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:00:21.0890 0876 NdisWan - ok
19:00:22.0109 0876 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
19:00:22.0109 0876 NDProxy - ok
19:00:22.0312 0876 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:00:22.0312 0876 NetBIOS - ok
19:00:22.0468 0876 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:00:22.0468 0876 NetBT - ok
19:00:22.0656 0876 npf (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
19:00:22.0656 0876 npf - ok
19:00:22.0828 0876 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
19:00:22.0828 0876 Npfs - ok
19:00:22.0968 0876 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
19:00:23.0000 0876 Ntfs - ok
19:00:23.0203 0876 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:00:23.0203 0876 Null - ok
19:00:23.0453 0876 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:00:23.0546 0876 nv - ok
19:00:23.0796 0876 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:00:23.0796 0876 NwlnkFlt - ok
19:00:24.0031 0876 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:00:24.0031 0876 NwlnkFwd - ok
19:00:24.0265 0876 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
19:00:24.0281 0876 NwlnkIpx - ok
19:00:24.0515 0876 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
19:00:24.0515 0876 NwlnkNb - ok
19:00:24.0765 0876 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
19:00:24.0765 0876 NwlnkSpx - ok
19:00:25.0015 0876 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
19:00:25.0031 0876 Parport - ok
19:00:25.0250 0876 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
19:00:25.0250 0876 PartMgr - ok
19:00:25.0484 0876 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:00:25.0484 0876 ParVdm - ok
19:00:25.0687 0876 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
19:00:25.0687 0876 PCI - ok
19:00:25.0890 0876 PCIDump - ok
19:00:26.0093 0876 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:00:26.0093 0876 PCIIde - ok
19:00:26.0250 0876 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:00:26.0250 0876 Pcmcia - ok
19:00:26.0421 0876 PDCOMP - ok
19:00:26.0562 0876 PDFRAME - ok
19:00:26.0718 0876 PDRELI - ok
19:00:26.0875 0876 PDRFRAME - ok
19:00:27.0078 0876 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
19:00:27.0078 0876 perc2 - ok
19:00:27.0312 0876 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
19:00:27.0312 0876 perc2hib - ok
19:00:27.0578 0876 Point32 (bd5a1efe9e08ba4b2770c3eab3a95d91) C:\WINDOWS\system32\DRIVERS\point32.sys
19:00:27.0578 0876 Point32 - ok
19:00:27.0843 0876 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:00:27.0843 0876 PptpMiniport - ok
19:00:28.0093 0876 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
19:00:28.0109 0876 PSched - ok
19:00:28.0328 0876 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:00:28.0328 0876 Ptilink - ok
19:00:28.0484 0876 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:00:28.0484 0876 PxHelp20 - ok
19:00:28.0640 0876 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
19:00:28.0640 0876 ql1080 - ok
19:00:28.0828 0876 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
19:00:28.0828 0876 Ql10wnt - ok
19:00:28.0968 0876 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
19:00:28.0968 0876 ql12160 - ok
19:00:29.0109 0876 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
19:00:29.0109 0876 ql1240 - ok
19:00:29.0250 0876 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
19:00:29.0250 0876 ql1280 - ok
19:00:29.0406 0876 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:00:29.0406 0876 RasAcd - ok
19:00:29.0609 0876 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:00:29.0609 0876 Rasl2tp - ok
19:00:29.0765 0876 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:00:29.0781 0876 RasPppoe - ok
19:00:29.0937 0876 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:00:29.0937 0876 Raspti - ok
19:00:30.0062 0876 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:00:30.0078 0876 Rdbss - ok
19:00:30.0265 0876 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:00:30.0265 0876 RDPCDD - ok
19:00:30.0421 0876 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:00:30.0421 0876 rdpdr - ok
19:00:30.0578 0876 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
19:00:30.0578 0876 RDPWD - ok
19:00:30.0750 0876 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:00:30.0750 0876 redbook - ok
19:00:31.0015 0876 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:00:31.0015 0876 Secdrv - ok
19:00:31.0281 0876 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
19:00:31.0312 0876 senfilt - ok
19:00:31.0562 0876 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:00:31.0562 0876 serenum - ok
19:00:31.0796 0876 Serial (c92069ae74b7f866ffbe76a55658a0b6) C:\WINDOWS\system32\DRIVERS\serial.sys
19:00:31.0796 0876 Serial ( Virus.Win32.ZAccess.c ) - infected
19:00:31.0796 0876 Serial - detected Virus.Win32.ZAccess.c (0)
19:00:32.0031 0876 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
19:00:32.0031 0876 sermouse - ok
19:00:32.0312 0876 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:00:32.0312 0876 Sfloppy - ok
19:00:32.0500 0876 Simbad - ok
19:00:32.0703 0876 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:00:32.0703 0876 sisagp - ok
19:00:32.0953 0876 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
19:00:32.0968 0876 smwdm - ok
19:00:33.0218 0876 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
19:00:33.0218 0876 Sparrow - ok
19:00:33.0437 0876 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
19:00:33.0437 0876 splitter - ok
19:00:33.0671 0876 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
19:00:33.0671 0876 sr - ok
19:00:33.0921 0876 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
19:00:33.0937 0876 Srv - ok
19:00:34.0171 0876 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:00:34.0171 0876 swenum - ok
19:00:34.0421 0876 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
19:00:34.0421 0876 swmidi - ok
19:00:34.0671 0876 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
19:00:34.0671 0876 symc810 - ok
19:00:34.0906 0876 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
19:00:34.0906 0876 symc8xx - ok
19:00:35.0156 0876 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
19:00:35.0156 0876 sym_hi - ok
19:00:35.0328 0876 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
19:00:35.0328 0876 sym_u3 - ok
19:00:35.0515 0876 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
19:00:35.0531 0876 sysaudio - ok
19:00:35.0781 0876 tbhsd (8fe2cdaa802e3e81102020d475cd7e68) C:\WINDOWS\system32\drivers\tbhsd.sys
19:00:35.0781 0876 tbhsd - ok
19:00:36.0000 0876 Tcpip (d1e0a099360a7ac279d883b057ab58a5) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:00:36.0015 0876 Tcpip - ok
19:00:36.0234 0876 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:00:36.0234 0876 TDPIPE - ok
19:00:36.0453 0876 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
19:00:36.0468 0876 TDTCP - ok
19:00:36.0687 0876 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:00:36.0687 0876 TermDD - ok
19:00:36.0937 0876 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
19:00:36.0937 0876 TosIde - ok
19:00:37.0203 0876 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
19:00:37.0203 0876 Udfs - ok
19:00:37.0437 0876 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
19:00:37.0437 0876 ultra - ok
19:00:37.0687 0876 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
19:00:37.0718 0876 Update - ok
19:00:37.0953 0876 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:00:37.0953 0876 usbccgp - ok
19:00:38.0156 0876 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:00:38.0156 0876 usbehci - ok
19:00:38.0390 0876 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:00:38.0390 0876 usbhub - ok
19:00:38.0625 0876 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:00:38.0625 0876 USBSTOR - ok
19:00:38.0859 0876 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:00:38.0859 0876 usbuhci - ok
19:00:39.0109 0876 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
19:00:39.0109 0876 VgaSave - ok
19:00:39.0343 0876 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:00:39.0343 0876 viaagp - ok
19:00:39.0593 0876 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:00:39.0593 0876 ViaIde - ok
19:00:39.0843 0876 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
19:00:39.0843 0876 VolSnap - ok
19:00:40.0109 0876 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:00:40.0109 0876 Wanarp - ok
19:00:40.0312 0876 wanatw - ok
19:00:40.0453 0876 WDC_SAM - ok
19:00:40.0671 0876 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
19:00:40.0718 0876 Wdf01000 - ok
19:00:40.0890 0876 WDICA - ok
19:00:41.0093 0876 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
19:00:41.0093 0876 wdmaud - ok
19:00:41.0359 0876 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
19:00:41.0359 0876 WpdUsb - ok
19:00:41.0593 0876 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:00:41.0593 0876 WS2IFSL - ok
19:00:41.0812 0876 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:00:41.0812 0876 WudfPf - ok
19:00:42.0062 0876 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:00:42.0062 0876 WudfRd - ok
19:00:42.0093 0876 MBR (0x1B8) (b16a2359f4962b0c622d81a1c1f4b703) \Device\Harddisk0\DR0
19:00:42.0125 0876 \Device\Harddisk0\DR0 - ok
19:00:42.0140 0876 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR4
19:00:42.0140 0876 \Device\Harddisk1\DR4 - ok
19:00:42.0171 0876 Boot (0x1200) (25d31bd0e6c932b51ad7a1978fc7f484) \Device\Harddisk0\DR0\Partition0
19:00:42.0171 0876 \Device\Harddisk0\DR0\Partition0 - ok
19:00:42.0187 0876 Boot (0x1200) (9b5ce993eb309d3b72a0bfedbf25d666) \Device\Harddisk1\DR4\Partition0
19:00:42.0187 0876 \Device\Harddisk1\DR4\Partition0 - ok
19:00:42.0187 0876 ============================================================
19:00:42.0187 0876 Scan finished
19:00:42.0187 0876 ============================================================
19:00:42.0203 0200 Detected object count: 1
19:00:42.0203 0200 Actual detected object count: 1
19:00:58.0218 0200 C:\WINDOWS\system32\DRIVERS\serial.sys - copied to quarantine
19:00:58.0234 0200 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\SERIAL.SYS) error 1813
19:01:03.0109 0200 Backup copy found, using it..
19:01:03.0109 0200 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured on reboot
19:01:12.0296 0200 Serial ( Virus.Win32.ZAccess.c ) - User select action: Cure
19:01:32.0031 1060 Deinitialize success

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 19 February 2012 - 07:53 PM

Hi

Please run the following script

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    @Alternate Data Stream - 81 bytes -> C:\Program Files\Cake Poker:MID
    [2010-07-13 01:11:48 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Jlobahemofivut.dat
    [2010-07-13 01:11:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ycanuy.bin
    [2012-02-18 21:32:58 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe_.b
    [2012-02-18 21:32:58 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe.b
    [2012-02-18 21:32:38 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1SqF8Qvo.dat
    NetSvcs: processor - C:\WINDOWS\SYSTEM32\3c1807pd.dll (Oak Technology Inc.)
    SRV - [2010-03-08 17:45:09 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\SYSTEM32\3c1807pd.dll -- (processor)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    [2010-07-12 23:13:13 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\MWALSH\LOCAL SETTINGS\APPLICATION DATA\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}
    MOD - [2004-08-04 05:00:00 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
    MOD - [2004-08-04 05:00:00 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
    
    :files
    rmdir C:\WINDOWS\$NtUninstallKB33335$ /c
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log


NEXT


Please re-run ComboFix - allow it to update if it asks to do so

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 19 February 2012 - 09:34 PM

Here are the 2 logs:

-------------
All processes killed
========== OTL ==========
ADS C:\Program Files\Cake Poker:MID deleted successfully.
C:\WINDOWS\Jlobahemofivut.dat moved successfully.
C:\WINDOWS\Ycanuy.bin moved successfully.
C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe_.b moved successfully.
C:\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe.b moved successfully.
C:\Documents and Settings\All Users\Application Data\1SqF8Qvo.dat moved successfully.
processor removed from NetSvcs value successfully!
Service processor stopped successfully!
Service processor deleted successfully!
C:\WINDOWS\SYSTEM32\3c1807pd.dll moved successfully.
Error: No service named processor was found to stop!
Service\Driver key processor not found.
File C:\WINDOWS\SYSTEM32\3c1807pd.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
C:\DOCUMENTS AND SETTINGS\MWALSH\LOCAL SETTINGS\APPLICATION DATA\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}\chrome\content folder moved successfully.
C:\DOCUMENTS AND SETTINGS\MWALSH\LOCAL SETTINGS\APPLICATION DATA\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}\chrome folder moved successfully.
C:\DOCUMENTS AND SETTINGS\MWALSH\LOCAL SETTINGS\APPLICATION DATA\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179} folder moved successfully.
========== FILES ==========
< rmdir C:\WINDOWS\$NtUninstallKB33335$ /c >
C:\Documents and Settings\mwalsh\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\mwalsh\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\mwalsh\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\mwalsh\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: mwalsh
->Temp folder emptied: 379180 bytes
->Temporary Internet Files folder emptied: 1811781 bytes
->Java cache emptied: 828236 bytes
->FireFox cache emptied: 89609574 bytes
->Flash cache emptied: 1238506 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1473038 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 6306 bytes

User: postgres
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 34659055 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb


OTL by OldTimer - Version 3.2.33.0 log created on 02192012_204857

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
------------



and Combofix:

--------
ComboFix 12-02-17.02 - mwalsh 12-02-19 21:11:48.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.314 [GMT -5:00]
Running from: c:\documents and settings\mwalsh\Desktop\ComboFix.exe
AV: AVG 7.5.516 *Enabled/Outdated* {41564737-3200-1071-989B-0000E87B4FB1}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mwalsh\Application Data\Help\coredb\storage
c:\windows\$NtUninstallKB33335$\3624456017
c:\windows\$NtUninstallKB33335$\3909839676\@
c:\windows\$NtUninstallKB33335$\3909839676\cfg.ini
c:\windows\$NtUninstallKB33335$\3909839676\Desktop.ini
c:\windows\$NtUninstallKB33335$\3909839676\L\odetmngk
c:\windows\$NtUninstallKB33335$\3909839676\U\00000001.@
c:\windows\$NtUninstallKB33335$\3909839676\U\00000002.@
c:\windows\$NtUninstallKB33335$\3909839676\U\00000004.@
c:\windows\$NtUninstallKB33335$\3909839676\U\80000000.@
c:\windows\$NtUninstallKB33335$\3909839676\U\80000004.@
c:\windows\$NtUninstallKB33335$\3909839676\U\80000032.@
c:\windows\$NtUninstallKB33335$\3909839676\version
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-20 02:08 . 2004-08-04 10:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-20 01:57 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-20 01:11 . 2012-02-20 01:11 -------- d-----w- C:\_OTL
2012-02-19 23:15 . 2004-02-10 16:50 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-02-19 23:12 . 2012-02-19 23:12 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-19 11:21 . 2012-02-19 11:21 -------- d-----w- c:\program files\SystemRequirementsLab
2012-02-19 11:20 . 2012-02-19 11:20 -------- d-----w- c:\documents and settings\mwalsh\Application Data\SystemRequirementsLab
2012-02-19 11:18 . 2012-02-19 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2012-02-19 11:17 . 2012-02-19 11:17 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2012-02-19 11:00 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-19 09:57 . 2012-02-19 23:14 454400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-19 02:10 . 2012-02-20 02:10 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-22 20:05 . 2012-01-22 20:05 -------- d-----w- c:\documents and settings\mwalsh\Application Data\Mozilla-Cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-10 03:52 . 2012-01-10 03:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2007-10-30 . D1E0A099360A7AC279D883B057AB58A5 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-06-04 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2012-02-19_10.20.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-03-06 03:13 . 2004-03-06 03:13 53248 c:\windows\SYSTEM32\mhwt.dll
- 1980-01-01 05:00 . 2004-03-06 03:13 53248 c:\windows\SYSTEM32\mhwt.dll
- 1980-01-01 05:00 . 2004-03-06 03:12 34293 c:\windows\SYSTEM32\IntelCci.dll
+ 2004-03-06 03:12 . 2004-03-06 03:12 34293 c:\windows\SYSTEM32\IntelCci.dll
+ 1980-01-01 05:00 . 2004-02-10 16:55 90112 c:\windows\SYSTEM32\igfxzoom.exe
- 1980-01-01 05:00 . 2005-09-20 13:36 94208 c:\windows\SYSTEM32\igfxext.exe
+ 1980-01-01 05:00 . 2004-02-10 16:55 94208 c:\windows\SYSTEM32\igfxext.exe
+ 1980-01-01 05:00 . 2004-02-10 16:55 32768 c:\windows\SYSTEM32\igfxexps.dll
+ 1980-01-01 05:00 . 2004-02-10 16:50 86016 c:\windows\SYSTEM32\igfxdo.dll
- 1980-01-01 05:00 . 2005-09-20 13:32 86016 c:\windows\SYSTEM32\igfxdo.dll
+ 2004-02-10 16:53 . 2004-02-10 16:53 45056 c:\windows\SYSTEM32\igfxdgps.dll
+ 1980-01-01 05:00 . 2004-02-10 17:10 36415 c:\windows\SYSTEM32\ialmrnt5.dll
+ 1980-01-01 05:00 . 2004-02-10 17:10 49152 c:\windows\SYSTEM32\ialmrem.dll
- 1980-01-01 05:00 . 2005-09-20 13:52 49152 c:\windows\SYSTEM32\ialmrem.dll
+ 2012-02-19 11:21 . 2012-02-19 11:21 31744 c:\windows\Installer\e5f2b.msi
+ 2012-02-19 11:17 . 2012-02-19 11:17 55176 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\UNINST_Uninstall_D_4299976C1167441FA07CEF9926E410B1.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\ProductName.chm.de_D066A77819B7480BA99CC79FB02C9357.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\NewShortcut7_093EA01C878D4FB8BBB75CF2AF29E7A1.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriversHQ.DriverDe_84B8F33B3EBF407BAC7CF7FF8090594C.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriversHQ.DriverDe_73EA94828B1A467994E24B03923D8FFE.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriverDetective.pt_6CF114D33913468CBA2AA6967939B819.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriverDetective.it_251B66F1CA924E82A1EE29E85D5EC5A1.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriverDetective.fr_E1678746353A46E3A9150D3E8B3832B1.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriverDetective.es_654C8EA5162D4D4084239A5EDD67F462.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\DriverDetective.ch_571875AB094D409B841CA52363CEAF75.exe
+ 2012-02-19 11:17 . 2012-02-19 11:17 75656 c:\windows\Installer\{4640FDE1-B83A-4376-84ED-86F86BEE2D41}\ARPPRODUCTICON.exe
+ 2012-02-19 11:18 . 2012-02-19 11:18 59392 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\ExceptionLogging\9e6693127d78a1c3e215dd1ccefae365\ExceptionLogging.ni.dll
+ 2004-08-04 10:00 . 2010-03-08 22:45 5632 c:\windows\SYSTEM32\NuidFltr.dll
- 1980-01-01 05:00 . 2004-03-06 03:13 172032 c:\windows\SYSTEM32\intelmoh.dll
+ 2004-03-06 03:13 . 2004-03-06 03:13 172032 c:\windows\SYSTEM32\intelmoh.dll
+ 2005-09-20 13:35 . 2004-02-10 16:55 155648 c:\windows\SYSTEM32\igfxtray.exe
+ 1980-01-01 05:00 . 2004-02-10 16:51 339968 c:\windows\SYSTEM32\igfxsrvc.dll
+ 1980-01-01 05:00 . 2004-02-10 16:50 880640 c:\windows\SYSTEM32\igfxress.dll
+ 1980-01-01 05:00 . 2004-02-10 16:55 225280 c:\windows\SYSTEM32\igfxpph.dll
+ 2004-02-10 16:51 . 2004-02-10 16:51 126976 c:\windows\SYSTEM32\igfxhk.dll
+ 2004-02-10 16:54 . 2004-02-10 16:54 221184 c:\windows\SYSTEM32\igfxeud.dll
+ 2004-02-10 16:53 . 2004-02-10 16:53 151552 c:\windows\SYSTEM32\igfxdiag.exe
+ 1980-01-01 05:00 . 2004-02-10 16:50 143360 c:\windows\SYSTEM32\igfxdev.dll
+ 1980-01-01 05:00 . 2004-02-10 16:53 462848 c:\windows\SYSTEM32\igfxcfg.exe
+ 1980-01-01 05:00 . 2004-02-10 17:10 103484 c:\windows\SYSTEM32\ialmdnt5.dll
+ 1980-01-01 05:00 . 2004-02-10 17:09 126651 c:\windows\SYSTEM32\ialmdev5.dll
+ 1980-01-01 05:00 . 2004-02-10 17:16 739387 c:\windows\SYSTEM32\ialmdd5.dll
+ 2005-09-20 13:32 . 2004-02-10 16:51 118784 c:\windows\SYSTEM32\hkcmd.exe
+ 1980-01-01 05:00 . 2004-02-10 16:50 118784 c:\windows\SYSTEM32\hccutils.dll
+ 2004-08-10 18:08 . 2012-02-19 20:08 219248 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2004-08-10 18:08 . 2010-11-27 01:05 219248 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2012-02-19 11:18 . 2012-02-19 11:18 119296 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\XPBurnComponent\05f19063bf1b487e28e8626900e6d4d6\XPBurnComponent.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 148992 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Microsoft.Practices#\f511848d164044f0ba6610a03e2f5bd3\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 303616 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Microsoft.Practices#\d9c5ca4468b9cb75f1bf3c09cb01c0de\Microsoft.Practices.ObjectBuilder.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 309248 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Microsoft.Practices#\8ac068ef338d9be2b3ca3ddc37434c10\Microsoft.Practices.EnterpriseLibrary.Common.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 230400 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Microsoft.Applicati#\127934709fea848df74acaed185ca0e5\Microsoft.ApplicationBlocks.Updater.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 202240 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Interop.WUApiLib\9f3681e3dfb324a80eb8496ae8a8277f\Interop.WUApiLib.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 547840 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\ICSharpCode.SharpZi#\4fcb8d003ef965a7482233a00ab2d6e9\ICSharpCode.SharpZipLib.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 409600 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Agent.Communication\6942839061ae20cfd6cfc90eede09a72\Agent.Communication.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 352256 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Agent.Common\f6a1419c5b183e6092e2a96b0a6b991b\Agent.Common.ni.dll
+ 2012-02-19 11:17 . 2012-02-19 11:17 2859520 c:\windows\Installer\e5f26.msi
+ 2012-02-19 11:18 . 2012-02-19 11:18 1149952 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Common\7fdf390682b6e8f9059876964e84ba91\Common.ni.dll
+ 2012-02-19 11:18 . 2012-02-19 11:18 5003776 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Agent\ed8ace262e5c42132fe3cb0d1907894d\Agent.ni.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
1980-01-01 05:00 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
.
2005-05-04 13:17 . 2003-09-04 01:12 221184 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe
.
2007-01-27 10:03 . 2006-11-09 20:07 49263 c:\program files\Java\jre1.5.0_10\bin\bak\jusched.exe
.
2004-03-19 04:29 . 2004-03-19 04:29 212992 c:\program files\Microsoft IntelliPoint\bak\point32.exe
2004-03-19 04:29 . 2004-03-19 04:29 212992 c:\program files\Microsoft IntelliPoint\point32.exe
.
2004-03-19 04:30 . 2004-03-19 04:30 184320 c:\program files\Microsoft IntelliType Pro\bak\type32.exe
2004-03-19 04:30 . 2004-03-19 04:30 184320 c:\program files\Microsoft IntelliType Pro\type32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-03-19 184320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-03-19 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mwalsh^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\mwalsh\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\111.exe]
c:\program files\LP\EF05\111.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dplaysvr]
c:\documents and settings\mwalsh\Application Data\dplaysvr.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
c:\program files\Google\Google Talk\googletalk.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Driver]
csrs.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security]
c:\documents and settings\All Users\Application Data\isecurity.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver AutoDB]
2004-09-10 04:06 1040384 ----a-w- c:\program files\iRiver\Service\MLService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-09-07 23:09 212992 ----a-w- c:\program files\iRiver\Service\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeApplet]
c:\documents and settings\mwalsh\Application Data\Media Player Classic\{165498BC-8DB8-4797-B336-162F81D41157}\renovator.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
c:\windows\system32\NeroCheck.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PocketCloud Location]
c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
c:\program files\Real\RealPlayer\RealPlay.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RogersAgent]
c:\program files\Rogers\SelfHealing\rogersagent.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
c:\program files\TightVNC\tvnserver.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
c:\program files\Veoh Networks\Veoh\VeohClient.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\mwalsh\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R2 npf;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [09-03-15 3:13 PM 34064]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [11-06-02 10:08 AM 11336]
S3 MLFILEM;MLFILEM;c:\windows\SYSTEM32\DRIVERS\MLFILEM.SYS [05-05-12 9:31 PM 28160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oem02dev
pctoolsfirewallplus
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.cnn.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
FF - ProfilePath - c:\documents and settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com/index.html
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Last tab close button: last-tab-close-button@victor.sacharin - %profile%\extensions\last-tab-close-button@victor.sacharin
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-83863555.sys
SafeBoot-91657077.sys
AddRemove-HijackThis - c:\documents and settings\mwalsh\My Documents\HijackThis.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\mwalsh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-19 21:26
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB33335$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1532)
c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2012-02-19 21:32:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 02:32
ComboFix2.txt 2012-02-19 11:10
ComboFix3.txt 2012-02-19 10:30
ComboFix4.txt 2010-11-10 18:48
ComboFix5.txt 2012-02-20 01:52
.
Pre-Run: 64,170,958,848 bytes free
Post-Run: 64,174,882,816 bytes free
.
- - End Of File - - F4C40D525677DBA343EB97D3FD0A9D89

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 19 February 2012 - 10:08 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

Folder::
c:\program files\Java\jre1.5.0_10\bin\bak
c:\program files\Microsoft IntelliPoint\bak
c:\program files\Microsoft IntelliType Pro\bak
c:\windows\$NtUninstallKB33335$

File::
c:\program files\LP\EF05\111.exe
c:\csrs.exe /s
c:\documents and settings\All Users\Application Data\isecurity.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\111.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Driver]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security]

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 20 February 2012 - 08:40 AM

Had to run the sequence a few times, various things kept getting messed up. Here's the latest results:


Combofix
----------
ComboFix 12-02-17.02 - mwalsh 12-02-20 6:36.11.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.309 [GMT -5:00]
Running from: c:\documents and settings\mwalsh\Desktop\ComboFix.exe
AV: AVG 7.5.516 *Enabled/Outdated* {41564737-3200-1071-989B-0000E87B4FB1}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB33335$
c:\windows\$NtUninstallKB33335$\2334026564
c:\windows\$NtUninstallKB33335$\3909839676\cfg.ini
c:\windows\$NtUninstallKB33335$\3909839676\Desktop.ini
c:\windows\$NtUninstallKB33335$\3909839676\U\00000001.@
c:\windows\$NtUninstallKB33335$\3909839676\U\00000002.@
c:\windows\$NtUninstallKB33335$\3909839676\U\00000004.@
c:\windows\$NtUninstallKB33335$\3909839676\U\80000000.@
c:\windows\$NtUninstallKB33335$\3909839676\U\80000004.@
c:\windows\$NtUninstallKB33335$\3909839676\U\80000032.@
c:\windows\$NtUninstallKB33335$\3909839676\version
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-20 11:51 . 2004-02-10 16:50 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-02-20 11:48 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-20 11:48 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-02-20 11:21 . 2004-08-04 04:15 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-20 10:32 . 2004-08-04 10:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-20 06:35 . 2012-02-20 06:35 -------- d-----w- c:\program files\ESET
2012-02-20 06:11 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-20 01:11 . 2012-02-20 01:11 -------- d-----w- C:\_OTL
2012-02-19 23:12 . 2012-02-19 23:12 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-19 11:21 . 2012-02-19 11:21 -------- d-----w- c:\program files\SystemRequirementsLab
2012-02-19 11:20 . 2012-02-19 11:20 -------- d-----w- c:\documents and settings\mwalsh\Application Data\SystemRequirementsLab
2012-02-19 11:18 . 2012-02-19 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2012-02-19 11:17 . 2012-02-19 11:17 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2012-02-19 11:00 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-19 09:57 . 2012-02-19 23:14 454400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-19 02:10 . 2012-02-20 11:08 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-22 20:05 . 2012-01-22 20:05 -------- d-----w- c:\documents and settings\mwalsh\Application Data\Mozilla-Cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-10 03:52 . 2012-01-10 03:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2007-10-30 . D1E0A099360A7AC279D883B057AB58A5 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-06-04 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2012-02-20_02.26.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-20 11:22 . 2004-02-10 16:55 90112 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxzoom.exe
- 2007-05-31 22:27 . 2004-02-10 16:55 90112 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxzoom.exe
+ 2012-02-20 11:22 . 2004-02-10 16:55 94208 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxext.exe
- 2007-05-31 22:27 . 2004-02-10 16:55 94208 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxext.exe
+ 2012-02-20 11:22 . 2004-02-10 16:55 32768 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxexps.dll
- 2007-05-31 22:27 . 2004-02-10 16:55 32768 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxexps.dll
- 2007-05-31 22:27 . 2004-02-10 16:50 86016 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdo.dll
+ 2012-02-20 11:22 . 2004-02-10 16:50 86016 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdo.dll
- 2007-05-31 22:27 . 2004-02-10 16:53 45056 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdgps.dll
+ 2012-02-20 11:22 . 2004-02-10 16:53 45056 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdgps.dll
- 2007-05-31 22:27 . 2004-02-10 17:10 36415 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmrnt5.dll
+ 2012-02-20 11:22 . 2004-02-10 17:10 36415 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmrnt5.dll
+ 2012-02-20 11:22 . 2004-02-10 17:10 49152 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmrem.dll
- 2007-05-31 22:27 . 2004-02-10 17:10 49152 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmrem.dll
- 2007-05-31 22:27 . 2004-02-10 17:10 61440 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\iAlmCoIn.dll
+ 2012-02-20 11:22 . 2004-02-10 17:10 61440 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\iAlmCoIn.dll
+ 2004-03-06 03:13 . 2004-03-06 03:13 37048 c:\windows\SYSTEM32\DRIVERS\mohfilt.sys
+ 2004-06-16 03:52 . 2004-06-16 03:52 61157 c:\windows\SYSTEM32\DRIVERS\IntelC53.sys
+ 2012-02-20 11:21 . 2004-08-04 04:15 64896 c:\windows\SYSTEM32\DLLCACHE\serial.sys
- 2004-08-04 10:00 . 2004-08-04 10:00 64896 c:\windows\SYSTEM32\DLLCACHE\serial.sys
+ 2012-02-20 11:22 . 2004-02-10 16:55 155648 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxtray.exe
+ 2012-02-20 11:22 . 2004-02-10 16:51 339968 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxsrvc.dll
- 2007-05-31 22:27 . 2004-02-10 16:51 339968 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxsrvc.dll
- 2007-05-31 22:27 . 2004-02-10 16:50 880640 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxress.dll
+ 2012-02-20 11:22 . 2004-02-10 16:50 880640 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxress.dll
+ 2012-02-20 11:22 . 2004-02-10 16:55 225280 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxpph.dll
- 2007-05-31 22:27 . 2004-02-10 16:55 225280 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxpph.dll
+ 2012-02-20 11:22 . 2004-02-10 16:51 126976 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxhk.dll
- 2007-05-31 22:27 . 2004-02-10 16:51 126976 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxhk.dll
+ 2012-02-20 11:22 . 2004-02-10 16:54 221184 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxeud.dll
- 2007-05-31 22:27 . 2004-02-10 16:54 221184 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxeud.dll
- 2007-05-31 22:27 . 2004-02-10 16:53 151552 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdiag.exe
+ 2012-02-20 11:22 . 2004-02-10 16:53 151552 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdiag.exe
- 2007-05-31 22:27 . 2004-02-10 16:50 143360 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdev.dll
+ 2012-02-20 11:22 . 2004-02-10 16:50 143360 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxdev.dll
- 2007-05-31 22:27 . 2004-02-10 16:53 462848 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxcfg.exe
+ 2012-02-20 11:22 . 2004-02-10 16:53 462848 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxcfg.exe
- 2007-05-31 22:27 . 2004-02-10 17:17 681469 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmnt5.sys
+ 2012-02-20 11:22 . 2004-02-10 17:17 681469 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmnt5.sys
- 2007-05-31 22:27 . 2004-02-10 17:09 471040 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmgdev.dll
+ 2012-02-20 11:22 . 2004-02-10 17:09 471040 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmgdev.dll
+ 2012-02-20 11:22 . 2004-02-10 17:10 103484 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmdnt5.dll
- 2007-05-31 22:27 . 2004-02-10 17:10 103484 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmdnt5.dll
+ 2012-02-20 11:22 . 2004-02-10 17:09 126651 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmdev5.dll
- 2007-05-31 22:27 . 2004-02-10 17:09 126651 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmdev5.dll
- 2007-05-31 22:27 . 2004-02-10 17:16 739387 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmdd5.dll
+ 2012-02-20 11:22 . 2004-02-10 17:16 739387 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmdd5.dll
+ 2012-02-20 11:22 . 2004-02-10 16:51 118784 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\hkcmd.exe
+ 2012-02-20 11:22 . 2004-02-10 16:50 118784 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\hccutils.dll
- 2007-05-31 22:27 . 2004-02-10 16:50 118784 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\hccutils.dll
+ 2004-03-06 03:15 . 2004-03-06 03:15 647929 c:\windows\SYSTEM32\DRIVERS\IntelC52.sys
+ 2004-02-10 17:17 . 2004-02-10 17:17 681469 c:\windows\SYSTEM32\DRIVERS\ialmnt5.sys
+ 2012-02-20 11:22 . 2004-02-10 17:07 2273280 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmgicd.dll
- 2007-05-31 22:27 . 2004-02-10 17:07 2273280 c:\windows\SYSTEM32\ReinstallBackups\0010\DriverFiles\ialmgicd.dll
+ 2004-03-06 03:14 . 2004-03-06 03:14 1233525 c:\windows\SYSTEM32\DRIVERS\IntelC51.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-03-19 184320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-03-19 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mwalsh^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\mwalsh\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dplaysvr]
c:\documents and settings\mwalsh\Application Data\dplaysvr.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
c:\program files\Google\Google Talk\googletalk.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver AutoDB]
2004-09-10 04:06 1040384 ----a-w- c:\program files\iRiver\Service\MLService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-09-07 23:09 212992 ----a-w- c:\program files\iRiver\Service\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeApplet]
c:\documents and settings\mwalsh\Application Data\Media Player Classic\{165498BC-8DB8-4797-B336-162F81D41157}\renovator.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
c:\windows\system32\NeroCheck.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PocketCloud Location]
c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
c:\program files\Real\RealPlayer\RealPlay.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RogersAgent]
c:\program files\Rogers\SelfHealing\rogersagent.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
c:\program files\TightVNC\tvnserver.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
c:\program files\Veoh Networks\Veoh\VeohClient.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\mwalsh\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12-02-20 1:11 AM 652360]
R2 npf;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [09-03-15 3:13 PM 34064]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12-02-20 1:11 AM 20464]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [11-06-02 10:08 AM 11336]
S3 MLFILEM;MLFILEM;c:\windows\SYSTEM32\DRIVERS\MLFILEM.SYS [05-05-12 9:31 PM 28160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oem02dev
hsxhwazl
SQTECH9080
NdisFilt
pctoolsfirewallplus
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.cnn.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
FF - ProfilePath - c:\documents and settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com/index.html
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Last tab close button: last-tab-close-button@victor.sacharin - %profile%\extensions\last-tab-close-button@victor.sacharin
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 06:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(828)
c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2012-02-20 06:57:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 11:57
ComboFix2.txt 2012-02-20 10:59
ComboFix3.txt 2012-02-20 06:08
ComboFix4.txt 2012-02-20 02:32
ComboFix5.txt 2012-02-20 11:24
.
Pre-Run: 63,472,328,704 bytes free
Post-Run: 63,476,834,304 bytes free
.
- - End Of File - - 3D2683221163EA063130FD4948E5FAF9





MalwareBytes
-------------
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.20.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
mwalsh :: MWALSH [administrator]

Protection: Enabled

12-02-20 7:07:02 AM
mbam-log-2012-02-20 (07-07-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203252
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




ESET
----

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan
C:\Qoobox\Quarantine\[4]-Submit_2010-11-12_12.42.55.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe.vir Win32/TrojanClicker.Agent.NEB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Mcn4yJk6.exe_.vir Win32/TrojanClicker.Agent.NEB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\mwalsh\Application Data\Sun\Java\Deployment\cache\6.0\20\60c48694-2f0cd4f9.vir probably a variant of Java/TrojanDownloader.Agent.AB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\mwalsh\Application Data\Sun\Java\Deployment\cache\6.0\3\3fa74f43-58e5ccb6.vir probably a variant of Java/TrojanDownloader.Agent.AB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\mwalsh\Local Settings\Application Data\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\AFD.SYS.vir a variant of Win32/Sirefef.DA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir a variant of Win32/Sirefef.DA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mrxsmb.sys.vir a variant of Win32/Rootkit.Kryptik.JM trojan
C:\TDSSKiller_Quarantine\19.02.2012_18.11.32\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan
C:\TDSSKiller_Quarantine\19.02.2012_18.59.30\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan
C:\_OTL\MovedFiles\02192012_204857\C_WINDOWS\SYSTEM32\3c1807pd.dll probably a variant of Win32/Sirefef.ER trojan

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 20 February 2012 - 09:24 AM

That looks better, what issues did you run into?

Please re-run OTL with the same custom scan as I requested here

http://www.bleepingcomputer.com/forums/topic443314.html/page__view__findpost__p__2603778


NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 22 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.



How is the system running now? Any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 20 February 2012 - 10:00 AM

The problems were drivers getting corrupted during the scans, but they'd work themself out by rerunning the scans.

Everything seems ok now, haven't noticed anything yet.

Again it only gave me the one output log, its here:


OTL logfile created on: 12-02-20 9:33:30 AM - Run 4
OTL by OldTimer - Version 3.2.33.0 Folder = C:\Documents and Settings\mwalsh\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yy-MM-dd

509.98 Mb Total Physical Memory | 259.86 Mb Available Physical Memory | 50.95% Memory free
1.22 Gb Paging File | 0.98 Gb Available in Paging File | 80.10% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.43 Gb Total Space | 59.12 Gb Free Space | 82.77% Space Free | Partition Type: NTFS
Drive D: | 678.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MWALSH | User Name: mwalsh | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-02-19 18:17:45 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mwalsh\Desktop\OTL.exe
PRC - [2012-01-13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SQTECH9080)
SRV - File not found [Auto | Stopped] -- -- (pctoolsfirewallplus)
SRV - File not found [Auto | Stopped] -- -- (OEM02Dev)
SRV - File not found [Auto | Stopped] -- -- (NdisFilt)
SRV - File not found [Auto | Stopped] -- -- (hsxhwazl)
SRV - File not found [Auto | Stopped] -- -- (AVGEMS)
SRV - File not found [Auto | Stopped] -- -- (Avg7UpdSvc)
SRV - File not found [Auto | Stopped] -- -- (Avg7Alrt)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012-01-13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011-12-10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2011-06-02 10:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009-03-15 15:13:10 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys -- (npf)
DRV - [2007-12-27 16:19:26 | 000,010,760 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgclean.sys -- (AvgClean)
DRV - [2007-10-27 15:49:19 | 000,821,856 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avg7core.sys -- (Avg7Core)
DRV - [2007-03-12 22:46:07 | 000,004,960 | ---- | M] (GRISOFT, s.r.o.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\avgtdi.sys -- (AvgTdi)
DRV - [2007-03-12 22:46:06 | 000,027,776 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avg7rsxp.sys -- (Avg7RsXP)
DRV - [2007-03-12 22:46:05 | 000,004,224 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avg7rsw.sys -- (Avg7RsW)
DRV - [2006-06-21 10:47:36 | 000,015,488 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\tbhsd.sys -- (tbhsd)
DRV - [2004-09-17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -- (senfilt)
DRV - [2004-09-07 17:38:09 | 000,028,160 | ---- | M] (Moodlogic Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MLFILEM.SYS -- (MLFILEM)
DRV - [2004-08-04 05:00:00 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKIPX.SYS -- (NwlnkIpx)
DRV - [2004-08-04 05:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKNB.SYS -- (NwlnkNb)
DRV - [2004-08-04 05:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NWLNKSPX.SYS -- (NwlnkSpx)
DRV - [2004-06-15 22:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004-03-05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004-03-05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004-03-05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

IE - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http:/www.cnn.com
IE - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "www.cnn.com/index.html"
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: last-tab-close-button@victor.sacharin:0.3.4
FF - prefs.js..extensions.enabledItems: {3205B348-523A-4fac-9BC4-9939CBF583B0}:2.1.6
FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: VacuumPlacesImproved@lultimouomo-gmail.com:1.2
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.652
FF - prefs.js..extensions.enabledItems: {5384767E-00D9-40E9-B72F-9CC39D655D6F}:1.4.1.1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll File not found
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{5CF93A1E-CB0A-4FA6-9B75-FCDB7C2BBECA}: C:\Documents and Settings\mwalsh\Local Settings\Application Data\{5CF93A1E-CB0A-4FA6-9B75-FCDB7C2BBECA}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}: C:\Documents and Settings\mwalsh\Local Settings\Application Data\{BBF2F2E9-162E-4854-993D-4FB6AA2A4179}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-02-04 16:44:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-02-01 16:58:16 | 000,000,000 | ---D | M]

[2008-08-27 13:47:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Extensions
[2012-02-19 04:37:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions
[2011-07-04 21:41:49 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2011-07-04 21:41:51 | 000,000,000 | ---D | M] (Old Location Bar) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
[2012-02-13 20:07:52 | 000,000,000 | ---D | M] (EPUBReader) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
[2011-07-04 21:41:51 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011-07-04 21:41:50 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011-07-04 21:41:50 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008-07-20 20:41:30 | 000,000,000 | ---D | M] (ConquerTell) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\conquertell@jonducrou
[2010-08-17 16:41:06 | 000,000,000 | ---D | M] (TVU Web Player) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\firefox@tvunetworks.com
[2011-07-04 21:41:51 | 000,000,000 | ---D | M] (Last tab close button) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\last-tab-close-button@victor.sacharin
[2011-04-26 00:53:22 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\LogMeInClient@logmein.com
[2011-02-05 12:22:34 | 000,000,000 | ---D | M] (Vacuum Places Improved) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
[2010-08-28 21:36:16 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\extensions\vshare@toolbar
[2012-02-18 19:49:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011-01-03 17:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011-01-03 17:17:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010-11-10 19:00:50 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005-12-05 21:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2007-08-20 22:20:28 | 000,159,744 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll

O1 HOSTS File: ([2012-02-20 06:50:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\NARRATOR.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\NARRATOR.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1827929367-3642598413-85638485-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\SYSTEM32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D2F5E465-9871-47AD-A9A4-1862BDF782B9}: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\USERINIT.EXE (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\LocalService\Application Data\hotfix.exe) - File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Documents and Settings\LocalService\Application Data\hotfix.exe) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004-08-10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: appmgmt - File not found
NetSvcs: ias - File not found
NetSvcs: iprip - File not found
NetSvcs: irmon - File not found
NetSvcs: nwcworkstation - File not found
NetSvcs: nwsapagent - File not found
NetSvcs: oem02dev - File not found
NetSvcs: hsxhwazl - File not found
NetSvcs: SQTECH9080 - File not found
NetSvcs: NdisFilt - File not found
NetSvcs: pctoolsfirewallplus - File not found
NetSvcs: wmdmpmsp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012-02-20 09:33:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012-02-20 06:57:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012-02-20 01:35:06 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012-02-20 01:34:52 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\mwalsh\Desktop\esetsmartinstaller_enu.exe
[2012-02-20 01:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012-02-20 01:11:36 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012-02-20 01:11:01 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\mwalsh\Desktop\mbam-setup-1.60.1.1000.exe
[2012-02-19 20:52:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\mwalsh\My Documents\My Videos
[2012-02-19 20:52:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\mwalsh\My Documents\My Pictures
[2012-02-19 20:52:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\mwalsh\My Documents\My Music
[2012-02-19 20:11:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2012-02-19 19:32:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Desktop\New Folder
[2012-02-19 18:17:43 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\mwalsh\Desktop\OTL.exe
[2012-02-19 18:12:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012-02-19 18:11:27 | 002,060,336 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\mwalsh\Desktop\TDSSKiller.exe
[2012-02-19 18:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\My Documents\Downloads
[2012-02-19 06:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2012-02-19 06:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Application Data\SystemRequirementsLab
[2012-02-19 06:18:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2012-02-19 06:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Driver Detective
[2012-02-19 06:17:37 | 000,000,000 | ---D | C] -- C:\Program Files\PC Drivers HeadQuarters
[2012-02-19 04:38:17 | 004,406,994 | R--- | C] (Swearware) -- C:\Documents and Settings\mwalsh\Desktop\ComboFix.exe
[2012-01-22 15:05:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Application Data\Mozilla-Cache
[2012-01-22 15:04:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Start Menu\Programs\PartyPoker
[2012-01-22 15:04:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\mwalsh\Start Menu\Programs\Games

========== Files - Modified Within 30 Days ==========

[2012-02-20 06:50:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2012-02-20 06:50:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012-02-20 06:49:59 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2012-02-20 06:08:30 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012-02-20 04:24:14 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-02-20 01:34:52 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\mwalsh\Desktop\esetsmartinstaller_enu.exe
[2012-02-20 01:11:40 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012-02-20 01:11:08 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\mwalsh\Desktop\mbam-setup-1.60.1.1000.exe
[2012-02-19 23:39:02 | 366,991,856 | ---- | M] () -- C:\Documents and Settings\mwalsh\Desktop\The.Walking.Dead.S02E09.HDTV.XviD-ASAP.[VTV].avi
[2012-02-19 23:29:06 | 000,148,992 | ---- | M] () -- C:\Documents and Settings\mwalsh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012-02-19 18:17:45 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mwalsh\Desktop\OTL.exe
[2012-02-19 15:08:43 | 000,219,248 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012-02-19 06:21:12 | 000,000,444 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012-02-19 04:38:21 | 004,406,994 | R--- | M] (Swearware) -- C:\Documents and Settings\mwalsh\Desktop\ComboFix.exe
[2012-02-18 22:34:34 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2012-02-17 17:23:38 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012-02-15 19:34:16 | 002,060,336 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\mwalsh\Desktop\TDSSKiller.exe
[2012-01-22 15:04:37 | 000,001,668 | ---- | M] () -- C:\Documents and Settings\mwalsh\Application Data\Microsoft\Internet Explorer\Quick Launch\PartyPoker.lnk

========== Files Created - No Company Name ==========

[2012-02-20 06:35:32 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2012-02-20 01:11:40 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012-02-19 23:19:50 | 366,991,856 | ---- | C] () -- C:\Documents and Settings\mwalsh\Desktop\The.Walking.Dead.S02E09.HDTV.XviD-ASAP.[VTV].avi
[2012-02-19 06:21:12 | 000,000,444 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012-02-18 22:32:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-02-18 21:10:04 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012-01-22 15:04:37 | 000,001,668 | ---- | C] () -- C:\Documents and Settings\mwalsh\Application Data\Microsoft\Internet Explorer\Quick Launch\PartyPoker.lnk
[2010-12-31 16:52:25 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010-11-26 19:20:35 | 000,059,032 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010-11-08 23:08:09 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010-11-08 23:08:09 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010-11-08 23:08:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-11-08 23:08:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010-11-08 23:08:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008-04-29 19:07:08 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\mwalsh\Local Settings\Application Data\fusioncache.dat
[2008-01-27 09:10:08 | 000,012,346 | ---- | C] () -- C:\Documents and Settings\mwalsh\Application Data\ShortcutSettings.xml
[2005-11-04 23:05:18 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005-05-21 20:55:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\mwalsh\Application Data\sversion.ini
[2005-05-12 19:42:20 | 000,148,992 | ---- | C] () -- C:\Documents and Settings\mwalsh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2007-03-12 22:47:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2005-05-04 08:17:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011-04-26 00:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010-04-20 22:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MGS
[2005-05-12 22:06:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MoodLogic
[2011-04-12 00:41:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motorola
[2006-03-19 18:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2012-02-19 06:18:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2005-06-26 22:36:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010-12-31 17:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2011-01-18 21:10:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2007-03-12 22:46:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2011-04-04 01:22:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2006-11-15 22:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Aim
[2009-03-31 22:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\AVG7
[2009-01-06 07:24:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\deskUNPDF
[2012-02-18 18:18:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Dropbox
[2009-03-31 22:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\gtk-2.0
[2007-04-06 13:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Microgaming
[2008-08-27 21:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\NewsComponents
[2006-02-19 16:12:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Registry Defender
[2011-01-03 17:17:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\RssBandit
[2012-02-19 06:20:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\SystemRequirementsLab
[2006-10-16 22:38:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\tunebite
[2007-05-30 12:03:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\Uniblue
[2012-02-19 23:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mwalsh\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2007-06-13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
[2004-08-04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2012-01-13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004-08-04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\I386\SVCHOST.EXE
[2010-03-08 17:45:09 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\erdnt\cache\SVCHOST.EXE
[2010-03-08 17:45:09 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
[2010-03-08 17:45:09 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\SYSTEM32\SVCHOST.EXE

< MD5 for: USERINIT.EXE >
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\I386\USERINIT.EXE
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\erdnt\cache\USERINIT.EXE
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\SYSTEM32\DLLCACHE\userinit.exe
[2004-08-04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\SYSTEM32\USERINIT.EXE

< MD5 for: WINLOGON.EXE >
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\I386\WINLOGON.EXE
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\erdnt\cache\WINLOGON.EXE
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe
[2004-08-04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SYSTEM32\WINLOGON.EXE
[2012-01-13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

< %systemroot%\*. /rp /s >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\ASSEMBLY\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

< End of report >

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 20 February 2012 - 10:12 AM

The log looks good,

we just have some cleanup to do now



You can delete the TDSSKiller and DDS logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.



If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 20 February 2012 - 10:15 AM

Malwarebytes is still blocking malicious IPs, just started getting pop ups again.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 20 February 2012 - 10:21 AM

please run the following:

Please download Listparts
Run the tool,
check the "list BCD" box

click "Scan" and post the log (Result.txt) it makes.

next please download a fresh copy of ComboFix and run it

Link 1

something must still be hidden that is respawning this infection


please also reset your router in case the infection is in the router and not on your PC

Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

NEXT

  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 20 February 2012 - 10:56 AM

Ok, Combofix didn't seem to detect anything this time, it didn't require a restart at all. Here are the two logs:


Cfix
-------
ComboFix 12-02-19.02 - mwalsh 12-02-20 10:35:05.12.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.244 [GMT -5:00]
Running from: c:\documents and settings\mwalsh\Desktop\ComboFix.exe
AV: AVG 7.5.516 *Enabled/Outdated* {41564737-3200-1071-989B-0000E87B4FB1}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
2012-02-20 11:51 . 2004-02-10 16:50 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-02-20 11:48 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-20 11:48 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-02-20 11:21 . 2004-08-04 04:15 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-20 11:21 . 2004-08-04 04:15 64896 ----a-w- c:\windows\system32\dllcache\serial.sys
2012-02-20 10:32 . 2004-08-04 10:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-20 06:35 . 2012-02-20 06:35 -------- d-----w- c:\program files\ESET
2012-02-20 06:11 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-20 01:11 . 2012-02-20 01:11 -------- d-----w- C:\_OTL
2012-02-19 23:12 . 2012-02-19 23:12 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-19 11:21 . 2012-02-19 11:21 -------- d-----w- c:\program files\SystemRequirementsLab
2012-02-19 11:20 . 2012-02-19 11:20 -------- d-----w- c:\documents and settings\mwalsh\Application Data\SystemRequirementsLab
2012-02-19 11:18 . 2012-02-19 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2012-02-19 11:17 . 2012-02-19 11:17 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2012-02-19 11:00 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-19 09:57 . 2012-02-19 23:14 454400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-19 02:10 . 2012-02-20 11:08 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-22 20:05 . 2012-01-22 20:05 -------- d-----w- c:\documents and settings\mwalsh\Application Data\Mozilla-Cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 14:52 . 2010-11-11 00:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-20 14:52 . 2007-06-04 04:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-10 03:52 . 2012-01-10 03:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2007-10-30 . D1E0A099360A7AC279D883B057AB58A5 . 360064 . . [5.1.2600.3244] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-06-04 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2qfe\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\SoftwareDistribution\Download\bc2e08df13ade612507748ca3eefdc83\sp2gdr\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2012-02-20_11.51.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-20 14:54 . 2012-02-20 14:54 16384 c:\windows\temp\Perflib_Perfdata_688.dat
+ 2012-02-20 14:52 . 2012-02-20 14:52 157472 c:\windows\SYSTEM32\javaws.exe
+ 2012-02-20 14:52 . 2012-02-20 14:52 149280 c:\windows\SYSTEM32\javaw.exe
+ 2012-02-20 14:52 . 2012-02-20 14:52 149280 c:\windows\SYSTEM32\java.exe
+ 2012-02-20 14:53 . 2012-02-20 14:53 203776 c:\windows\Installer\a6e536.msi
+ 2012-02-20 14:52 . 2012-02-20 14:52 901120 c:\windows\Installer\a6e528.msi
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-03-19 184320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-03-19 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mwalsh^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\mwalsh\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dplaysvr]
c:\documents and settings\mwalsh\Application Data\dplaysvr.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
c:\program files\Google\Google Talk\googletalk.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver AutoDB]
2004-09-10 04:06 1040384 ----a-w- c:\program files\iRiver\Service\MLService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
2004-09-07 23:09 212992 ----a-w- c:\program files\iRiver\Service\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeApplet]
c:\documents and settings\mwalsh\Application Data\Media Player Classic\{165498BC-8DB8-4797-B336-162F81D41157}\renovator.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
c:\windows\system32\NeroCheck.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PocketCloud Location]
c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
c:\program files\Real\RealPlayer\RealPlay.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RogersAgent]
c:\program files\Rogers\SelfHealing\rogersagent.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
c:\program files\TightVNC\tvnserver.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
c:\program files\Veoh Networks\Veoh\VeohClient.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\mwalsh\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12-02-20 1:11 AM 652360]
R2 npf;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [09-03-15 3:13 PM 34064]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12-02-20 1:11 AM 20464]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys --> c:\windows\system32\DRIVERS\motfilt.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [11-06-02 10:08 AM 11336]
S3 MLFILEM;MLFILEM;c:\windows\SYSTEM32\DRIVERS\MLFILEM.SYS [05-05-12 9:31 PM 28160]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys --> c:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys --> c:\windows\system32\DRIVERS\motusbdevice.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oem02dev
hsxhwazl
SQTECH9080
NdisFilt
pctoolsfirewallplus
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.cnn.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193
FF - ProfilePath - c:\documents and settings\mwalsh\Application Data\Mozilla\Firefox\Profiles\fsak9i8b.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com/index.html
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Last tab close button: last-tab-close-button@victor.sacharin - %profile%\extensions\last-tab-close-button@victor.sacharin
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 10:47
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(904)
c:\documents and settings\mwalsh\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-20 10:52:09
ComboFix-quarantined-files.txt 2012-02-20 15:52
ComboFix2.txt 2012-02-20 11:57
ComboFix3.txt 2012-02-20 10:59
ComboFix4.txt 2012-02-20 06:08
ComboFix5.txt 2012-02-20 15:30
.
Pre-Run: 63,692,234,752 bytes free
Post-Run: 63,695,024,128 bytes free
.
- - End Of File - - FF0D05AE4DF02F8B6084A719D1C5E5F4



and ListParts
-------------
ListParts by Farbar
Ran by mwalsh on 20-02-2012 at 10:28:53
Windows XP (X86)
Running From: C:\Documents and Settings\mwalsh\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 90%
Total physical RAM: 509.98 MB
Available physical RAM: 48.3 MB
Total Pagefile: 1247.49 MB
Available Pagefile: 864.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 2006.24 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:71.43 GB) (Free:58.99 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: (My Disc) (CDROM) (Total:0.66 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 74 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 71 GB 39 MB
Partition 3 Unknown 3106 MB 71 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 71 GB Healthy System (partition with boot components)

Disk: 0
Partition 3
Type : DB
Hidden: Yes
Active: No

There is no volume associated with this partition.


****** End Of Log ******

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:34 PM

Posted 20 February 2012 - 12:27 PM

are you still getting alerts from MBAM?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 confidoboyd

confidoboyd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 20 February 2012 - 09:53 PM

Yes, unfortunately it is. Although the range of IPs seems to be smaller and different than it was before.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users