Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan, rootkit from torrent. Re-boot hangs


  • This topic is locked This topic is locked
35 replies to this topic

#1 spectr

spectr

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 21 February 2012 - 04:56 PM

Hello,

I was a total fool yesterday morning and have been paying for it ever since. I kept hoping a different anti-virus would work and so now I'm running about half of them, but I thought before I tried to clean things up I'd admit total failure and get some help. That being said I manually re-booted and didn't run anything but what the tutorial said and things have been fine. I'm watching my processes and nothing's popping up the way it was before, but I've who knows how many process blockers running at this point and it didn't let me re-boot clean (hangs at windows is shutting down) so I assume it's still in there somewhere. Maybe I should've turned all the anti-virus and process stuff off before I started this, but I've done enough damage and wanted to get help before I did anything else. If that's really the first step, sorry and just let me know and I'll re-do. Any help is greatly appreciated.

Here's the dds.txt log and attachments requested. The gmer log is from today after work where the others are from last night. gmer went on forever and I had to go to bed (didn't like scanning the umpteen thousand text files in a baseball management sim I have). I hope that's alright:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_29
Run by jacoba at 19:54:35 on 2012-02-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1855 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeBridge]
uRun: [Google Update] "c:\documents and settings\jacoba\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EPSON Stylus C62 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StreamZap Remote] c:\progra~1\stream~1\remote\zremote.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B4E9F9BE-1B85-47CC-9E84-AACC233D2C74} : DhcpNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jacoba\application data\mozilla\firefox\profiles\cd1fcmie.default\
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\jacoba\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2009-4-2 33824]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-2-24 185472]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-9-16 21992]
R2 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2011-5-17 366872]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe --> c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-17 1684736]
S3 ByakkoDriver;ByakkoDriver;\??\c:\program files\cabal online (us)\byakko.k32 --> c:\program files\cabal online (us)\Byakko.K32 [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-18 25832]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-1-11 11264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-2-20 24064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-21 00:34:17 -------- d-s---w- C:\ComboFix
2012-02-21 00:33:44 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2012-02-21 00:29:33 388096 ----a-r- c:\documents and settings\jacoba\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-21 00:18:07 -------- d-----w- c:\documents and settings\jacoba\application data\AVG2012
2012-02-21 00:07:35 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-20 23:55:54 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-02-20 23:54:05 -------- d-----w- c:\windows\system32\drivers\AVG
2012-02-20 23:54:05 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-02-20 23:53:30 -------- d-----w- c:\program files\AVG
2012-02-20 23:50:18 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-02-20 19:58:04 0 --sha-w- c:\windows\system32\datasvr2.dll
2012-02-20 06:11:51 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-20 01:06:32 -------- d-----w- c:\program files\LP
2012-02-20 01:06:32 -------- d-----w- c:\program files\47869
2012-02-20 01:06:32 -------- d-----w- c:\documents and settings\jacoba\application data\DC747
2012-02-04 19:14:15 53248 ----a-r- c:\documents and settings\jacoba\application data\microsoft\installer\{12baa98c-f8dd-4bc9-bbe6-1c8463114197}\ARPPRODUCTICON.exe
.
==================== Find3M ====================
.
2011-12-29 05:51:56 1409 ----a-w- c:\windows\QTFont.for
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-29 23:18:56 1174979 ----a-w- c:\windows\apppatch\unins000.exe
.
============= FINISH: 19:55:22.95 ===============




Attached File  attach.txt   13.2KB   0 downloads

Attached File  Ark.log   31.57KB   0 downloads

BC AdBot (Login to Remove)

 


#2 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 22 February 2012 - 10:29 PM

So I couldn't help myself from trying some more. I've resigned myself to a reinstall, but I don't want to let them win. Anyway, I deleted a bunch of programs and files to make scans faster and than tried running combo fix on my own. combofix says I have rootkit.zeroattack or something very close to that and that it's inserted into the tcp/ip stack, which is more than any of the other programs identified.

But combofix didn't get rid of it. It still freezes at re-boot. Well, once on the second run through it re-booted into debugger mode on its own and I thought I'd won, but the second re-boot on that attempt still hung. I ran dds and gmer after my combofix attempts and I'll attach the combofix logs too (combofixes are log.txt, log1.txt, log2.txt and the dds2.txt, attach2.txt and ark2.log files were made after the three combofix logs). gmer update doesn't have files included as that takes hours and I have to go to bed, but I'll run it with files as soon as I get home from work.

Hopefully double-posting in my own thread doesn't drop me back in the queue and I promise I'll leave things alone until I receive instructions from now on.

Updated dds log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_29
Run by jacoba at 22:15:23 on 2012-02-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2056 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EPSON Stylus C62 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B4E9F9BE-1B85-47CC-9E84-AACC233D2C74} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jacoba\application data\mozilla\firefox\profiles\cd1fcmie.default\
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\jacoba\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2009-4-2 33824]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-2-24 185472]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-9-16 21992]
R2 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2011-5-17 366872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe --> c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-17 1684736]
S3 ByakkoDriver;ByakkoDriver;\??\c:\program files\cabal online (us)\byakko.k32 --> c:\program files\cabal online (us)\Byakko.K32 [?]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-1-11 11264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-2-20 24064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-23 03:09:53 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-02-23 03:09:53 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-23 02:49:11 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 02:48:11 -------- d-----w- C:\ComboFix
2012-02-23 02:02:59 63663 -c--a-w- c:\windows\system32\dllcache\ati1rvxx.sys
2012-02-23 02:02:59 63663 ----a-w- c:\windows\system32\drivers\ati1rvxx.sys
2012-02-23 02:02:59 26367 -c--a-w- c:\windows\system32\dllcache\ati1snxx.sys
2012-02-23 02:02:59 26367 ----a-w- c:\windows\system32\drivers\ati1snxx.sys
2012-02-23 02:02:59 129535 -c--a-w- c:\windows\system32\dllcache\slnt7554.sys
2012-02-23 02:02:59 129535 ----a-w- c:\windows\system32\drivers\slnt7554.sys
2012-02-23 02:02:58 29455 -c--a-w- c:\windows\system32\dllcache\ati1xbxx.sys
2012-02-23 02:02:58 29455 ----a-w- c:\windows\system32\drivers\ati1xbxx.sys
2012-02-23 01:13:02 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-23 01:10:31 -------- d-sha-r- C:\cmdcons
2012-02-23 01:08:35 98816 ----a-w- c:\windows\sed.exe
2012-02-23 01:08:35 518144 ----a-w- c:\windows\SWREG.exe
2012-02-23 01:08:35 256000 ----a-w- c:\windows\PEV.exe
2012-02-23 01:08:35 208896 ----a-w- c:\windows\MBR.exe
2012-02-21 21:43:22 -------- d-----w- C:\$AVG
2012-02-21 00:29:33 388096 ----a-r- c:\documents and settings\jacoba\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-21 00:07:35 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-20 23:55:54 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-02-20 23:54:05 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-02-20 23:53:30 -------- d-----w- c:\program files\AVG
2012-02-20 23:50:18 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-02-20 06:11:51 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-20 01:06:32 -------- d-----w- c:\program files\47869
2012-02-20 01:06:32 -------- d-----w- c:\documents and settings\jacoba\application data\DC747
2012-02-04 19:14:15 53248 ----a-r- c:\documents and settings\jacoba\application data\microsoft\installer\{12baa98c-f8dd-4bc9-bbe6-1c8463114197}\ARPPRODUCTICON.exe
.
==================== Find3M ====================
.
2011-12-29 05:51:56 1409 ----a-w- c:\windows\QTFont.for
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-29 23:18:56 1174979 ----a-w- c:\windows\apppatch\unins000.exe
.
============= FINISH: 22:15:40.82 ===============

Attached File  attach2.txt   16.61KB   0 downloads
Attached File  ark2.log   22.74KB   1 downloads
Attached File  log.txt   15.04KB   1 downloads
Attached File  log1.txt   13.59KB   1 downloads
Attached File  log2.txt   13.69KB   1 downloads

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:01 AM

Posted 23 February 2012 - 05:41 AM

Hello spectr and welcome to BC.


:step1: Download OTL to your Desktop.
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan/Fixes box.

    c:\windows\*. /SL
    c:\windows\*. /RP
    netsvcs
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.


:step2: Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.



:step3: Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Note: Do not install Avast anti virus when offered.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 23 February 2012 - 06:47 AM

Thanks for the help, here are the logs you requested:

OTL logfile created on: 2/23/2012 6:35:26 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\jacoba\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 2.13 Gb Available Physical Memory | 77.31% Memory free
5.34 Gb Paging File | 4.82 Gb Available in Paging File | 90.18% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 170.01 Gb Free Space | 57.03% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 284.97 Gb Free Space | 30.59% Space Free | Partition Type: NTFS

Computer Name: JACOB | User Name: jacoba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/23 06:33:32 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jacoba\Desktop\OTL.exe
PRC - [2011/10/03 04:06:14 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
PRC - [2011/05/17 02:27:48 | 000,366,872 | ---- | M] (Tanuki Software, Ltd.) -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
PRC - [2011/02/18 11:47:12 | 000,079,192 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 04:42:34 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\savedump.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/23 14:19:06 | 001,410,344 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/10/23 14:18:46 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2006/09/08 12:12:50 | 000,172,032 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
PRC - [2006/09/08 12:10:42 | 000,172,090 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/09 21:45:32 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2010/03/16 12:22:12 | 000,014,848 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll
MOD - [2009/12/18 14:55:52 | 011,791,360 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\50ea744ffc3cb7f09b027fd6c5c93b2b\System.Web.ni.dll
MOD - [2009/12/18 14:55:29 | 000,970,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\cb4cb21d14767292e079366a5d3d76cd\System.Configuration.ni.dll
MOD - [2009/12/18 14:55:05 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\c2af7cfbb47c077029a2645930b4eeac\Accessibility.ni.dll
MOD - [2009/12/18 14:37:44 | 005,449,728 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\36f3953f24d4f0b767bf172331ad6f3e\System.Xml.ni.dll
MOD - [2009/12/18 14:37:38 | 012,428,800 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\9a254c455892c02355ab0ab0f0727c5b\System.Windows.Forms.ni.dll
MOD - [2009/12/18 14:37:25 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\6978f2e90f13bc720d57fa6895c911e2\System.Drawing.ni.dll
MOD - [2009/12/18 14:36:56 | 007,867,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aa7926460a336408c8041330ad90929d\System.ni.dll
MOD - [2009/12/18 14:36:46 | 011,485,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\9adb89fa22fd5b4ce433b5aca7fb1b07\mscorlib.ni.dll
MOD - [2009/12/18 14:35:06 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2008/04/14 04:42:02 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/04/14 04:42:02 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/12/21 10:29:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2006/12/03 13:53:06 | 000,126,464 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2006/09/08 12:12:50 | 000,172,032 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (vmauthdservice)
SRV - File not found [Auto | Stopped] -- -- (USBDongle)
SRV - File not found [Auto | Stopped] -- -- (StarWindServiceAE)
SRV - File not found [Auto | Stopped] -- -- (O2SCBUS)
SRV - File not found [Auto | Stopped] -- -- (InterBaseServer)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (eskerlicensecontrol)
SRV - File not found [Auto | Stopped] -- -- (ccispwdsvc)
SRV - [2011/05/17 02:27:48 | 000,366,872 | ---- | M] (Tanuki Software, Ltd.) [Auto | Running] -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)
SRV - [2011/01/11 11:44:01 | 004,377,072 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2010/02/19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2008/11/22 01:25:46 | 000,094,208 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)
SRV - [2008/04/14 04:42:38 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\WGX.dll -- (SiS300i)
SRV - [2008/04/14 04:42:38 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\s716mgmt.dll -- (aolavupd)
SRV - [2006/09/08 12:12:50 | 000,172,032 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2006/09/08 12:10:42 | 000,172,090 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -- (nSvcIp)


========== Driver Services (SafeList) ==========

DRV - [2012/02/20 19:10:23 | 000,024,064 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2011/11/09 22:42:12 | 007,493,120 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2010/11/09 14:35:30 | 000,021,992 | ---- | M] (CPUID) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz135_x32.sys -- (cpuz135)
DRV - [2010/09/23 09:46:29 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/09/23 09:46:29 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/07/17 15:09:26 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/02/24 05:22:10 | 000,185,472 | ---- | M] (Protect Software GmbH) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\acedrv11.sys -- (acedrv11)
DRV - [2009/11/03 06:39:04 | 005,940,736 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/04/02 10:19:43 | 000,033,824 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\oreans32.sys -- (oreans32)
DRV - [2008/08/18 11:24:40 | 000,011,264 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ICDUSB3.sys -- (ICDUSB3)
DRV - [2008/08/05 07:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/07/02 02:38:14 | 000,089,600 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2006/09/21 17:39:16 | 000,105,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/08/07 18:39:24 | 000,018,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/08/07 18:39:22 | 000,052,736 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/08/07 18:39:14 | 000,110,080 | ---- | M] (NVIDIA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\nvtcp.sys -- (NVTCP)
DRV - [2006/01/04 02:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@idsoftware.com/QuakeLive: C:\Documents and Settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\jacoba\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\jacoba\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/07 10:10:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/10 09:29:52 | 000,000,000 | ---D | M]

[2008/06/20 14:53:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jacoba\Application Data\Mozilla\Extensions
[2012/02/12 08:20:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jacoba\Application Data\Mozilla\Firefox\Profiles\cd1fcmie.default\extensions
[2011/02/09 15:09:06 | 000,000,000 | ---D | M] (AEProject) -- C:\Documents and Settings\jacoba\Application Data\Mozilla\Firefox\Profiles\cd1fcmie.default\extensions\{4d587426-b7e2-40df-922d-c8157175af64}
[2012/02/12 08:20:06 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\jacoba\Application Data\Mozilla\Firefox\Profiles\cd1fcmie.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2012/01/07 10:10:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\JACOBA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CD1FCMIE.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\JACOBA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CD1FCMIE.DEFAULT\EXTENSIONS\{D40F5E7B-D2CF-4856-B441-CC613EEFFBE3}.XPI
[2009/02/22 11:40:54 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/01/07 10:10:43 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 04:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/08 09:22:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/13 11:52:21 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Bing (Enabled)
CHR - default_search_provider: search_url = http://www.bing.com/search?setmkt=en-US&q={searchTerms}
CHR - default_search_provider: suggest_url = http://api.bing.com/osjson.aspx?query={searchTerms}&language={language}

Hosts file not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab (CKAVWebScan Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4E9F9BE-1B85-47CC-9E84-AACC233D2C74}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\jacoba\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\jacoba\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/03 14:25:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: USBDongle - File not found
NetSvcs: InterBaseServer - File not found
NetSvcs: ahcix86s - File not found
NetSvcs: agnwifi - File not found
NetSvcs: vmauthdservice - File not found
NetSvcs: interactivelogon - File not found
NetSvcs: se44bus - File not found
NetSvcs: raidmsvr - File not found
NetSvcs: wstcodec - File not found
NetSvcs: aolavupd - C:\WINDOWS\system32\s716mgmt.dll (Oak Technology Inc.)
NetSvcs: SiS300i - C:\WINDOWS\system32\WGX.dll (Oak Technology Inc.)
NetSvcs: webrootcommagentservice - File not found
NetSvcs: MSCamSvc - File not found
NetSvcs: CX23880 - File not found
NetSvcs: SNMP - File not found
NetSvcs: msfwsvc - File not found
NetSvcs: O2SCBUS - File not found
NetSvcs: rnadirectory - File not found
NetSvcs: eelogsvc - File not found
NetSvcs: eskerlicensecontrol - File not found
NetSvcs: ccispwdsvc - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XFR1 - C:\WINDOWS\System32\xfcodec.dll ()
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/02/23 06:33:52 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jacoba\Desktop\OTL.exe
[2012/02/22 22:09:53 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\serial.sys
[2012/02/22 21:48:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/02/22 21:03:20 | 000,036,463 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1tuxx.sys
[2012/02/22 21:03:20 | 000,036,463 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1tuxx.sys
[2012/02/22 21:03:20 | 000,013,240 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2012/02/22 21:03:20 | 000,013,240 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slwdmsup.sys
[2012/02/22 21:03:20 | 000,011,935 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv11nt.sys
[2012/02/22 21:03:20 | 000,011,935 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\dllcache\wadv11nt.sys
[2012/02/22 21:03:18 | 001,309,184 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2012/02/22 21:03:18 | 001,309,184 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\mtlstrm.sys
[2012/02/22 21:03:17 | 000,022,271 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\watv06nt.sys
[2012/02/22 21:03:17 | 000,022,271 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\dllcache\watv06nt.sys
[2012/02/22 21:03:15 | 000,056,623 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1btxx.sys
[2012/02/22 21:03:15 | 000,056,623 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1btxx.sys
[2012/02/22 21:03:13 | 000,013,776 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\recagent.sys
[2012/02/22 21:03:13 | 000,013,776 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\recagent.sys
[2012/02/22 21:03:12 | 000,126,686 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2012/02/22 21:03:12 | 000,126,686 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\mtlmnt5.sys
[2012/02/22 21:03:12 | 000,034,735 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xsxx.sys
[2012/02/22 21:03:12 | 000,034,735 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1xsxx.sys
[2012/02/22 21:03:11 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2012/02/22 21:03:11 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\ntmtlfax.sys
[2012/02/22 21:03:07 | 000,404,990 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2012/02/22 21:03:07 | 000,404,990 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slntamr.sys
[2012/02/22 21:03:06 | 000,011,807 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv07nt.sys
[2012/02/22 21:03:06 | 000,011,807 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\dllcache\wadv07nt.sys
[2012/02/22 21:03:05 | 000,095,424 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2012/02/22 21:03:05 | 000,095,424 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slnthal.sys
[2012/02/22 21:03:05 | 000,030,671 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1raxx.sys
[2012/02/22 21:03:05 | 000,030,671 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1raxx.sys
[2012/02/22 21:03:04 | 000,011,615 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1mdxx.sys
[2012/02/22 21:03:04 | 000,011,615 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1mdxx.sys
[2012/02/22 21:03:03 | 000,025,471 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\watv10nt.sys
[2012/02/22 21:03:03 | 000,025,471 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\dllcache\watv10nt.sys
[2012/02/22 21:03:03 | 000,011,295 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv08nt.sys
[2012/02/22 21:03:03 | 000,011,295 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\dllcache\wadv08nt.sys
[2012/02/22 21:03:02 | 000,021,343 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1ttxx.sys
[2012/02/22 21:03:02 | 000,021,343 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1ttxx.sys
[2012/02/22 21:03:02 | 000,012,047 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1pdxx.sys
[2012/02/22 21:03:02 | 000,012,047 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1pdxx.sys
[2012/02/22 21:02:59 | 000,129,535 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnt7554.sys
[2012/02/22 21:02:59 | 000,129,535 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\dllcache\slnt7554.sys
[2012/02/22 21:02:59 | 000,063,663 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1rvxx.sys
[2012/02/22 21:02:59 | 000,063,663 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1rvxx.sys
[2012/02/22 21:02:59 | 000,026,367 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1snxx.sys
[2012/02/22 21:02:59 | 000,026,367 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1snxx.sys
[2012/02/22 21:02:58 | 000,029,455 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xbxx.sys
[2012/02/22 21:02:58 | 000,029,455 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\dllcache\ati1xbxx.sys
[2012/02/22 20:10:31 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/22 20:08:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/22 20:08:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/22 20:08:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/22 20:08:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/22 20:08:12 | 004,414,512 | R--- | C] (Swearware) -- C:\Documents and Settings\jacoba\Desktop\ComboFix.exe
[2012/02/22 18:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/02/21 16:43:22 | 000,000,000 | ---D | C] -- C:\$AVG
[2012/02/20 19:34:17 | 000,000,000 | --SD | C] -- C:\Documents and Settings\jacoba\Desktop\ComboFix
[2012/02/20 19:33:38 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/20 18:55:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/02/20 18:54:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/02/20 18:53:30 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2012/02/20 18:50:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/02/20 16:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacoba\Desktop\Accounts
[2012/02/20 12:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Maxthon3
[2012/02/20 08:00:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/19 20:06:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacoba\Application Data\DC747
[2012/02/19 20:06:32 | 000,000,000 | ---D | C] -- C:\Program Files\47869
[2012/01/28 15:54:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacoba\My Documents\ANNO 2070
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/23 06:33:32 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jacoba\Desktop\OTL.exe
[2012/02/23 06:32:15 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003UA.job
[2012/02/23 06:32:00 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/23 06:30:43 | 000,746,672 | ---- | M] () -- C:\WINDOWS\System32\nvdb02.adghz
[2012/02/23 06:30:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/22 22:46:12 | 000,081,920 | ---- | M] () -- C:\Documents and Settings\jacoba\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/22 21:53:59 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/22 21:09:05 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\HiJackThis.lnk
[2012/02/22 20:10:36 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/02/21 17:32:02 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003Core.job
[2012/02/21 17:00:08 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/02/20 19:52:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\jacoba\defogger_reenable
[2012/02/20 19:51:40 | 000,000,338 | ---- | M] () -- C:\Documents and Settings\jacoba\My Documents\ax_files.xml
[2012/02/20 19:28:07 | 004,414,512 | R--- | M] (Swearware) -- C:\Documents and Settings\jacoba\Desktop\ComboFix.exe
[2012/02/20 19:10:23 | 000,024,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/02/20 16:55:20 | 000,000,459 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/02/20 16:48:23 | 000,016,390 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\workoutrecord.ods
[2012/02/20 13:04:32 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/02/20 13:03:25 | 000,440,898 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120220-130338.backup
[2012/02/20 07:47:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/20 01:22:07 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\45KTI8w1S.dat
[2012/02/20 00:57:09 | 000,017,990 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\anno2070.ods
[2012/02/12 22:50:22 | 000,023,854 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\Jays_hitterscareers.ods
[2012/02/12 12:22:17 | 000,090,044 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\J08_11.jpg
[2012/02/12 12:22:17 | 000,001,456 | ---- | M] () -- C:\Documents and Settings\jacoba\Local Settings\Application Data\Adobe Save for Web 12.0 Prefs
[2012/02/12 12:13:35 | 000,089,614 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\J00_07.jpg
[2012/02/08 07:44:56 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/08 07:44:56 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_RimUsb_01009.Wdf
[2012/01/28 15:18:20 | 000,013,866 | ---- | M] () -- C:\Documents and Settings\jacoba\Desktop\pitchignplan.ods
[2012/01/27 17:24:30 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/22 20:08:35 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/22 20:08:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/22 20:08:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/22 20:08:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/22 20:08:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/20 19:52:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jacoba\defogger_reenable
[2012/02/20 19:29:31 | 000,002,449 | ---- | C] () -- C:\Documents and Settings\jacoba\Desktop\HiJackThis.lnk
[2012/02/20 19:07:35 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/02/20 13:04:32 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/02/20 01:21:54 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\45KTI8w1S.dat
[2012/02/20 01:11:51 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/12 23:09:11 | 000,017,990 | ---- | C] () -- C:\Documents and Settings\jacoba\Desktop\anno2070.ods
[2012/02/12 22:50:21 | 000,023,854 | ---- | C] () -- C:\Documents and Settings\jacoba\Desktop\Jays_hitterscareers.ods
[2012/02/12 12:13:34 | 000,089,614 | ---- | C] () -- C:\Documents and Settings\jacoba\Desktop\J00_07.jpg
[2012/02/12 12:11:29 | 000,090,044 | ---- | C] () -- C:\Documents and Settings\jacoba\Desktop\J08_11.jpg
[2012/02/12 12:10:59 | 000,001,456 | ---- | C] () -- C:\Documents and Settings\jacoba\Local Settings\Application Data\Adobe Save for Web 12.0 Prefs
[2012/02/08 07:44:56 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/08 07:44:56 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_RimUsb_01009.Wdf
[2012/01/28 15:18:16 | 000,013,866 | ---- | C] () -- C:\Documents and Settings\jacoba\Desktop\pitchignplan.ods
[2011/11/09 22:39:44 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\OpenVideo.dll
[2011/11/09 22:39:32 | 000,054,784 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2010/09/14 14:15:39 | 000,333,008 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/15 09:51:33 | 002,373,712 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2010/08/09 13:16:58 | 000,000,237 | ---- | C] () -- C:\WINDOWS\ACTIVEJP.INI

========== Custom Scans ==========


< >

< c:\windows\*. /SL >

< c:\windows\*. /RP >

< %ALLUSERSPROFILE%\Application Data\*. >
[2009/02/03 11:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2011/09/10 09:29:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/04/24 10:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe Systems
[2010/10/28 20:11:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ALM
[2007/04/13 15:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2011/12/16 20:52:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI
[2012/02/22 20:38:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2008/06/08 22:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2012/02/22 18:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BioWare
[2012/02/20 18:55:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2008/11/18 13:52:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2010/03/22 12:56:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2010/08/15 09:51:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\id Software
[2008/06/02 14:45:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2008/07/16 10:23:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lionhead Studios
[2010/01/25 14:17:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/22 19:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/02/22 20:06:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/04/15 11:03:55 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2007/12/31 14:34:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nero
[2007/04/03 18:51:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2007/04/03 19:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2010/03/13 15:12:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2010/11/14 23:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/10/28 20:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2011/09/06 17:09:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/02/09 13:09:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/01/25 10:48:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/03/31 23:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Stardock
[2010/09/22 19:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/09/23 09:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tages
[2007/05/09 13:58:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2010/07/17 15:39:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ubisoft
[2007/04/03 15:02:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/03/01 22:44:10 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\java-rmi.exe
[2010/03/01 22:44:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\java.exe
[2010/03/01 22:44:10 | 000,059,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\javacpl.exe
[2010/03/01 22:44:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\javaw.exe
[2010/03/01 22:44:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\javaws.exe
[2010/03/01 22:44:12 | 000,079,648 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jbroker.exe
[2010/03/01 22:44:12 | 000,023,328 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jp2launcher.exe
[2010/03/01 22:44:12 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jqs.exe
[2010/03/01 22:44:12 | 000,055,072 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jqsnotify.exe
[2010/03/01 22:44:12 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jucheck.exe
[2010/03/01 22:44:12 | 000,055,072 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jureg.exe
[2010/03/01 22:44:14 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\jusched.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\keytool.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\kinit.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\klist.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\ktab.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\orbd.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\pack200.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\policytool.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\rmid.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\rmiregistry.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\servertool.exe
[2010/03/01 22:44:14 | 000,030,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\ssvagent.exe
[2010/03/01 22:44:14 | 000,033,568 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\tnameserv.exe
[2010/03/01 22:44:14 | 000,132,896 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\All Users\Application Data\Adobe\CS5\jre\bin\unpack200.exe
[2007/03/14 18:10:30 | 000,116,288 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe
[2010/08/02 10:24:10 | 002,373,712 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
[2012/02/20 13:04:10 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

< %APPDATA%\*. >
[2011/10/28 16:42:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\.minecraft
[2010/03/10 17:37:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\2K Sports
[2012/02/12 12:10:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Adobe
[2007/06/06 11:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\AdobeUM
[2007/07/29 01:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Apple Computer
[2009/12/15 18:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\ATI
[2007/05/16 14:15:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Azureus
[2011/07/09 20:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\BoneTown
[2012/02/19 20:06:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\DC747
[2011/09/24 23:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\dvdcss
[2009/07/01 10:34:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\FreeStone Group
[2009/05/22 17:18:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\GarageGames
[2007/04/06 19:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Help
[2010/08/15 09:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\id Software
[2007/04/03 14:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Identities
[2011/11/29 06:49:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\JLAdventCalendarLondon2011
[2010/09/14 14:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Kalypso Media
[2010/06/17 13:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Leadertech
[2008/07/16 10:31:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Lionhead Studios
[2007/05/29 02:19:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Macromedia
[2010/01/25 14:17:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Malwarebytes
[2009/12/15 19:03:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Media Player Classic
[2011/07/09 20:41:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\jacoba\Application Data\Microsoft
[2008/06/20 14:53:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Mozilla
[2007/05/15 13:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\My Games
[2007/12/31 14:35:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Nero
[2010/08/14 08:35:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\OpenOffice.org
[2010/08/14 08:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\OpenOffice.org2
[2007/04/03 15:04:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Opera
[2012/01/07 18:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Out of the Park Developments
[2010/03/13 15:14:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Quark
[2010/11/12 01:16:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Real
[2011/09/06 17:10:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Research In Motion
[2011/01/30 11:17:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Rovio
[2009/05/10 18:51:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Skype
[2009/05/10 18:50:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\skypePM
[2008/01/21 15:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\SmartFTP
[2008/09/23 12:55:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\SPORE
[2008/07/11 15:21:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\SPORE Creature Creator
[2011/07/29 19:32:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\StreamTorrent
[2007/08/09 10:49:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Sun
[2008/02/10 16:55:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\U3
[2012/01/28 15:27:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Ubisoft
[2012/02/20 21:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\uTorrent
[2011/12/29 17:21:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\vlc
[2007/04/03 23:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\WhenU
[2009/05/10 19:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jacoba\Application Data\Xfire

< %APPDATA%\*.exe /s >
[2011/06/01 11:18:37 | 000,270,142 | ---- | M] () -- C:\Documents and Settings\jacoba\Application Data\.minecraft\Minecraft.exe
[2011/01/27 22:50:07 | 000,695,296 | ---- | M] (AnjoCaido) -- C:\Documents and Settings\jacoba\Application Data\.minecraft\Updater.exe
[2011/11/29 06:47:26 | 000,053,632 | ---- | M] (Adobe Systems Inc.) -- C:\Documents and Settings\jacoba\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
[2011/11/29 06:47:23 | 015,160,720 | ---- | M] (Adobe Systems Inc.) -- C:\Documents and Settings\jacoba\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller3x0\airinstaller3x0.exe
[2007/06/07 16:20:04 | 001,214,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\jacoba\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
[2012/02/04 14:14:15 | 000,053,248 | R--- | M] (Acresso Software Inc.) -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
[2011/11/29 18:19:03 | 000,029,926 | R--- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
[2011/11/29 18:19:03 | 000,029,422 | R--- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
[2012/02/20 19:29:33 | 000,388,096 | R--- | M] (Trend Micro Inc.) -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
[2011/11/29 18:53:15 | 000,007,782 | R--- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{502499DC-2EDB-45A2-8F7C-83E6E5DE067E}\ARPPRODUCTICON.exe
[2011/11/29 18:53:15 | 000,049,152 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{502499DC-2EDB-45A2-8F7C-83E6E5DE067E}\NewShortcut1_502499DC2EDB45A28F7C83E6E5DE067E.exe
[2011/05/07 00:29:54 | 000,018,902 | R--- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{51FAC155-0705-4EA0-B00F-7955676627BF}\ARPPRODUCTICON.exe
[2011/05/07 00:29:54 | 000,057,344 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{51FAC155-0705-4EA0-B00F-7955676627BF}\NewShortcut1_51FAC15507054EA0B00F7955676627BF.exe
[2007/04/03 15:04:54 | 000,061,440 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{5D582D33-EB35-4D77-B7AF-403322D947E6}\ARPPRODUCTICON.exe
[2009/12/15 18:27:03 | 000,009,158 | R--- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
[2011/11/29 19:01:59 | 000,007,782 | R--- | M] () -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{C109AF5B-69D0-4C93-B360-F28D9FAB6084}\ARPPRODUCTICON.exe
[2011/11/29 19:01:59 | 000,049,152 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\jacoba\Application Data\Microsoft\Installer\{C109AF5B-69D0-4C93-B360-F28D9FAB6084}\NewShortcut1_C109AF5B69D04C93B360F28D9FAB6084.exe
[2011/06/07 07:31:10 | 002,959,376 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\jacoba\Application Data\Research In Motion\BlackBerry Desktop\Updates\A7227214-39BE-46b4-8F87-42650B1C1046\dotnetfx35setup.exe
[2011/09/07 17:35:40 | 117,454,168 | ---- | M] () -- C:\Documents and Settings\jacoba\Application Data\Research In Motion\BlackBerry Desktop\Updates\A7227214-39BE-46b4-8F87-42650B1C1046\Extractor.exe
[2011/06/07 07:31:10 | 000,128,472 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\jacoba\Application Data\Research In Motion\BlackBerry Desktop\Updates\A7227214-39BE-46b4-8F87-42650B1C1046\Helper.exe
[2011/06/07 07:31:10 | 001,821,192 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\jacoba\Application Data\Research In Motion\BlackBerry Desktop\Updates\A7227214-39BE-46b4-8F87-42650B1C1046\vcredist_x86.exe
[2011/06/07 07:31:08 | 000,419,672 | ---- | M] (Research In Motion Limited) -- C:\Documents and Settings\jacoba\Application Data\Research In Motion\BlackBerry Desktop\Updates\A7227214-39BE-46b4-8F87-42650B1C1046\InstallerUtils\InstallerUtils.exe
[2011/06/07 07:31:10 | 000,081,240 | ---- | M] (Research In Motion Limited) -- C:\Documents and Settings\jacoba\Application Data\Research In Motion\BlackBerry Desktop\Updates\A7227214-39BE-46b4-8F87-42650B1C1046\InstallerUtils\Setup.exe
[2006/12/14 10:00:02 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\jacoba\Application Data\U3\temp\cleanup.exe
[2007/02/12 17:46:54 | 003,096,576 | -H-- | M] (SanDisk Corporation) -- C:\Documents and Settings\jacoba\Application Data\U3\temp\Launchpad Removal.exe

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/07/17 15:09:26 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\system32\drivers\*.sys /90 >
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2012/02/20 19:10:23 | 000,024,064 | ---- | M] () -- C:\WINDOWS\system32\drivers\mbamchameleon.sys

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[c:\windows\$NtUninstallKB33577$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

OTL Extras logfile created on: 2/23/2012 6:35:26 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\jacoba\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 2.13 Gb Available Physical Memory | 77.31% Memory free
5.34 Gb Paging File | 4.82 Gb Available in Paging File | 90.18% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 170.01 Gb Free Space | 57.03% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 284.97 Gb Free Space | 30.59% Space Free | Partition Type: NTFS

Computer Name: JACOB | User Name: jacoba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"4481:TCP" = 4481:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service data transfer
"4481:UDP" = 4481:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service discovery
"4482:TCP" = 4482:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service data transfer
"4482:UDP" = 4482:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software music sync service discovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EA SPORTS\MVP Baseball 2005\mvp2005.exe" = C:\Program Files\EA SPORTS\MVP Baseball 2005\mvp2005.exe:*:Enabled:mvp2005 -- ()
"C:\Program Files\Opera\Opera.exe" = C:\Program Files\Opera\Opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe" = C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:*:Disabled:Sid Meier's Railroads! -- (MACiOZO Games, Inc)
"C:\Program Files\EA SPORTS\Madden NFL 08\Updater.exe" = C:\Program Files\EA SPORTS\Madden NFL 08\Updater.exe:*:Disabled:Updater -- ()
"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0 -- (SmartSoft Ltd.)
"C:\Program Files\Utorrent\utorrent.exe" = C:\Program Files\Utorrent\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe" = C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe:*:Enabled:BlackBerry Desktop Software -- (Research In Motion)
"C:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe" = C:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe:*:Enabled:Ubisoft Game Launcher -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0556F885-2415-4666-B53E-33727E46AEA1}" = The Movies™
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{12453E04-9738-4D16-8408-D726532C2C69}" = ASUS VGA Driver
"{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}" = BlackBerry Device Software Updater
"{14C87AA7-08E6-419F-A165-998EBE5023D7}" = Oblivion - Knights of the Nine
"{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{190601AF-7BE4-046E-CEBF-14EE74434250}" = AMD Catalyst Install Manager
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6423DE-7959-4178-80E0-023C7EAA5347}" = NVIDIA ForceWare Network Access Manager
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{25B473C3-2C62-482B-858F-94ED76880F79}" = Patrician IV
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java™ 6 Update 16
"{27614800-84A9-484E-9CCB-43ED2F1205F5}" = Chessmaster Grandmaster Edition
"{288DB08D-0708-4A94-B055-55B99E39EB62}" = Adobe Creative Suite 5 Master Collection
"{2BEB102E-F9CD-4881-984B-E288F66FD394}" = Quake Live Mozilla Plugin
"{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}" = Catalyst Control Center - Branding
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3828EC4B-D4B9-A742-4D81-9C0A3C72DF8A}" = CCC Help English
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = piaip AppLocale
"{39C8EFBA-042B-11DC-A860-0EE955D89593}" = EA SPORTS™ NBA LIVE 08
"{3ABEBD00-299D-4DCA-967F-B912163AB5EA}" = Oblivion - Horse Armor Pack
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{402ED4A1-8F5B-387A-8688-997ABF58B8F2}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{44E1DE63-C8FA-4C70-B4AA-0C49A947ACDE}" = Sid Meier's Railroads!
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{502499DC-2EDB-45A2-8F7C-83E6E5DE067E}" = ILLUSION ジンコウガクエン きゃらめいく
"{51FAC155-0705-4EA0-B00F-7955676627BF}" = ILLUSION SexyビーチZERO
"{5211BF94-F97C-47E7-BC7C-BE804A79F8A2}" = MLB 2K10
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5D582D33-EB35-4D77-B7AF-403322D947E6}" = Opera 9.10
"{5E863175-E85D-44A6-8968-82507D34AE7F}" = QuickTime
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}" = Digital Voice Editor 3
"{6F23C1A3-9F62-470C-BD12-B83F04E67865}" = SmartFTP Client
"{706EA4A8-97B5-4C29-A0F3-0B38C666F0C4}" = QuarkXPress
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{81A917A1-DBA3-3639-53DA-B6E833D41A57}" = ccc-utility
"{82931CCC-65F4-5A50-57AD-AE6DF6B10929}" = Catalyst Control Center
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{9143B17E-BBDE-4EA7-A4E3-20D384D9C8A5}_is1" = HF pAppLoc version 0.9.1
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{9EDBB857-8028-49CD-B9C9-0B4D10CD1033}" = Nero 8
"{A0A087E5-149E-EC75-F45D-3A3C04344B4A}" = Catalyst Control Center Graphics Previews Common
"{A19E1C26-6DAF-AFDC-4EFF-EFF7FA36F72D}" = Jacquie Lawson London Advent Calendar
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3BC1DBD-64D6-4EBC-0091-24C811662D40}" = Madden NFL 08
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{AB90749C-7422-4580-8A7A-66CC5E9E5F98}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}" = EVGA Display Driver
"{C06A7DAC-1708-417C-B694-28C84DFE2DF9}" = The Movies™ Stunts & Effects
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C109AF5B-69D0-4C93-B360-F28D9FAB6084}" = ILLUSION ジンコウガクエン
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC67DD84-77C6-C9F8-FA03-953F1C1C92A9}" = Catalyst Control Center InstallProxy
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}" = BlackBerry Desktop Software 6.0
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EC425CFC-EE78-4A91-AA25-3BFA65B75364}" = Oblivion - Orrery
"{EE3FBD3C-782E-4A90-9507-0ECFE1FECCE4}" = Sid Meier's Railroads!
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}" = The Witcher Enhanced Edition
"{F2B5A2A7-2DF9-4361-8BD5-362714528B51}" = NHL® 09
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Alt.Binz" = Alt.Binz 0.24.1
"BlackBerry_Desktop" = BlackBerry Desktop Software 6.0
"CABAL Online_is1" = CABAL Online
"CDisplay_is1" = CDisplay 1.8
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"Cheat Engine 5.4_is1" = Cheat Engine 5.4
"Cheat Engine 5.6_is1" = Cheat Engine 5.6
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.58
"DVDx_is1" = DVDx
"EPSON Printer and Utilities" = EPSON Printer Software
"ffdshow" = ffdshow (remove only)
"Galactic Civilizations II - Ultimate Edition" = Galactic Civilizations II - Ultimate Edition
"HijackThis" = HijackThis 2.0.2
"InstallShield_{0556F885-2415-4666-B53E-33727E46AEA1}" = The Movies™ Stunts & Effects
"InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
"InstallShield_{1F6423DE-7959-4178-80E0-023C7EAA5347}" = NVIDIA ForceWare Network Access Manager
"InstallShield_{27614800-84A9-484E-9CCB-43ED2F1205F5}" = Chessmaster Grandmaster Edition
"InstallShield_{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"InstallShield_{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"JLAdventCalendarLondon2011" = Jacquie Lawson London Advent Calendar
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"MVPedit_is1" = MVPedit 2006.2
"OpenAL" = OpenAL
"PokerStars" = PokerStars
"ProtectDisc Driver 11" = ProtectDisc Driver, Version 11
"PS3 Media Server" = PS3 Media Server
"PunkBusterSvc" = PunkBuster Services
"QuickPar" = QuickPar 0.9
"RealAlt_is1" = Real Alternative 1.60 Lite
"SmartFTP Client 2.5 Setup Files" = SmartFTP Client 2.5 Setup Files (remove only)
"SmartFTP Client 3.0 Setup Files" = SmartFTP Client 3.0 Setup Files (remove only)
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"uTorrent" = µTorrent
"VLC media player" = VLC media player 0.9.9
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"XBCD 360" = XBCD 360 0.2.5
"Xbox_360_CC_Driver" = Xbox 360 Controller for Windows
"Xfire" = Xfire (remove only)
"Xvid_is1" = Xvid 1.2.1 final uninstall
"YTdetect" = Yahoo! Detect

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/20/2012 8:37:00 PM | Computer Name = JACOB | Source = Application Hang | ID = 1002
Description = Hanging application avgui.exe, version 12.0.0.1912, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/21/2012 5:41:43 PM | Computer Name = JACOB | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.5512, fault address 0x0000100b.

Error - 2/21/2012 6:08:07 PM | Computer Name = JACOB | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.9.9.0, faulting module msvcrt.dll,
version 7.0.2600.5512, fault address 0x000378c0.

Error - 2/21/2012 6:43:21 PM | Computer Name = JACOB | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 9.0.1.4371, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 2/21/2012 7:30:51 PM | Computer Name = JACOB | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 9.0.1.4371, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x00048b76.

Error - 2/22/2012 7:53:00 PM | Computer Name = JACOB | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\19318bd7.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 2/22/2012 7:53:10 PM | Computer Name = JACOB | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\19318bd7.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 2/22/2012 7:53:38 PM | Computer Name = JACOB | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\19318bd7.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 2/22/2012 7:53:40 PM | Computer Name = JACOB | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\19318bd7.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 2/22/2012 10:02:33 PM | Computer Name = JACOB | Source = JavaQuickStarterService | ID = 1
Description =

[ System Events ]
Error - 2/22/2012 9:02:43 PM | Computer Name = JACOB | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Bcoreusb service terminated with the following error: %%126

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Enum1394 service terminated with the following error: %%2

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Epstnt01 service terminated with the following error: %%126

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Automate6 service terminated with the following error: %%126

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7000
Description = The StarWind AE Service service failed to start due to the following
error: %%2

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The NWFILTER service terminated with the following error: %%126

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Mvserver service terminated with the following error: %%126

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 2/22/2012 9:03:52 PM | Computer Name = JACOB | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127


< End of report >

ListParts by Farbar
Ran by jacoba on 23-02-2012 at 06:43:42
Windows XP (X86)
Running From: C:\Documents and Settings\jacoba\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 29%
Total physical RAM: 2814.48 MB
Available physical RAM: 1995.34 MB
Total Pagefile: 5469.65 MB
Available Pagefile: 4776.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 2004.04 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:169.96 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive f: (Iomega HDD) (Fixed) (Total:931.51 GB) (Free:284.97 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 932 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 32 KB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 298 GB Healthy System (partition with boot components)

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 932 GB 32 KB

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F Iomega HDD NTFS Partition 932 GB Healthy


****** End Of Log ******

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 06:45:07
-----------------------------
06:45:07.062 OS Version: Windows 5.1.2600 Service Pack 3
06:45:07.062 Number of processors: 2 586 0xF06
06:45:07.062 ComputerName: JACOB UserName:
06:45:07.531 Initialize success
06:45:20.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006f
06:45:20.796 Disk 0 Vendor: ST3320620AS 3.AAE Size: 305245MB BusType: 3
06:45:20.796 Device \Driver\nvata -> MajorFunction 8ad081f8
06:45:20.812 Disk 0 MBR read successfully
06:45:20.812 Disk 0 MBR scan
06:45:20.828 Disk 0 Windows XP default MBR code
06:45:20.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
06:45:20.828 Disk 0 scanning sectors +625121280
06:45:20.890 Disk 0 scanning C:\WINDOWS\system32\drivers
06:45:26.500 File: C:\WINDOWS\system32\drivers\i8042prt.sys **SUSPICIOUS**
06:45:30.437 Disk 0 trace - called modules:
06:45:30.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xf763afc0]<<
06:45:30.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac2eab8]
06:45:30.484 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8a814420]
06:45:30.984 \Driver\00003616[0x8a8c45c8] -> IRP_MJ_CREATE -> 0xf763afc0
06:45:30.984 Scan finished successfully
06:45:48.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jacoba\Desktop\MBR.dat"
06:45:48.703 The log file has been saved successfully to "C:\Documents and Settings\jacoba\Desktop\aswMBR.txt"

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:01 AM

Posted 23 February 2012 - 09:27 AM

Hi,

The computer is infected with the latest variant of zeroaccess rootkit, I need to see more info before we can start removing the infection.


:step1: We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy



:step2: Run OTL.
  • Click the None button at the top (Between "Run fix" and "Clean up" button).
  • Copy and Paste the following code into the Custom Scan box.

    /md5start
    WGX.dll
    s716mgmt.dll
    aolavupd.sys
    SiS300i.sys
    i8042prt.sys
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aolavupd
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiS300i
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad windows.
  • Please copy (Edit->Select All, Edit->Copy) the contents of that file, and post them when you reply.


:step3: Can you please post the resulting log of Combofix located at C:\Combofix.txt.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 23 February 2012 - 02:23 PM

I'll do 1 and 2 in two hours when I get home, but I'm not sure what to do about your #3. Which log? One of the ones I already posted or do you want me to run combofix again? If so is that step 3, run combofix and post the resulting log? Just want to make sure so I don't make any goofs.

I thought I'd turned teatimer off already before I ran combo last time. :(

#7 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 23 February 2012 - 04:55 PM

Okay, Teatimer is off.

Here's the OTL scan and I'll post the file that's currently at c:\combofix.txt after:

OTL logfile created on: 2/23/2012 4:50:59 PM - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\jacoba\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 74.35% Memory free
5.34 Gb Paging File | 4.76 Gb Available in Paging File | 89.16% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 169.95 Gb Free Space | 57.02% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 284.97 Gb Free Space | 30.59% Space Free | Partition Type: NTFS

Computer Name: JACOB | User Name: jacoba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< >


< MD5 for: I8042PRT.SYS >
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:i8042prt.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:i8042prt.sys
[2008/04/13 23:48:02 | 000,052,480 | ---- | M] (Microsoft Corporation) MD5=4A0B06AA8943C1E332520F7440C0AA30 -- C:\WINDOWS\ServicePackFiles\i386\i8042prt.sys
[2008/04/13 23:48:02 | 000,052,480 | ---- | M] (Microsoft Corporation) MD5=4A0B06AA8943C1E332520F7440C0AA30 -- C:\WINDOWS\system32\drivers\i8042prt.sys
[2004/08/03 17:14:38 | 000,052,736 | ---- | M] (Microsoft Corporation) MD5=5502B58EEF7486EE6F93F3F164DCB808 -- C:\WINDOWS\$NtServicePackUninstall$\i8042prt.sys

< MD5 for: S716MGMT.DLL >
[2008/04/14 04:42:38 | 000,005,632 | ---- | M] (Oak Technology Inc.) MD5=11028C6A84A967070CB1286550F2058F -- C:\WINDOWS\system32\s716mgmt.dll

< MD5 for: WGX.DLL >
[2008/04/14 04:42:38 | 000,005,632 | ---- | M] (Oak Technology Inc.) MD5=11028C6A84A967070CB1286550F2058F -- C:\WINDOWS\system32\WGX.dll

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aolavupd >
"Type" = 32
"Start" = 2
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs -- [2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
"DisplayName" = Appnnode
"ObjectName" = LocalSystem
"Description" = Appnnode

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aolavupd\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aolavupd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aolavupd\Enum]

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiS300i >
"Type" = 32
"Start" = 2
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs -- [2008/04/14 04:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
"DisplayName" = MRESP50
"ObjectName" = LocalSystem
"Description" = MRESP50

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiS300i\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiS300i\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiS300i\Enum]

< End of report >


ComboFix 12-02-19.02 - jacoba 02/22/2012 21:54:33.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2326 [GMT -5:00]
Running from: c:\documents and settings\jacoba\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB33577$\2273502865
c:\windows\$NtUninstallKB33577$\596877498\@
c:\windows\$NtUninstallKB33577$\596877498\cfg.ini
c:\windows\$NtUninstallKB33577$\596877498\Desktop.ini
c:\windows\$NtUninstallKB33577$\596877498\L\pgwjieic
c:\windows\TEMP\jna6254635194563666171.dll
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 03:09 . 2008-04-14 05:45 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-02-23 03:09 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-23 02:49 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 02:02 . 2008-04-14 04:53 129535 -c--a-w- c:\windows\system32\dllcache\slnt7554.sys
2012-02-23 02:02 . 2008-04-14 04:53 129535 ----a-w- c:\windows\system32\drivers\slnt7554.sys
2012-02-23 02:02 . 2008-04-14 03:04 63663 -c--a-w- c:\windows\system32\dllcache\ati1rvxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 63663 ----a-w- c:\windows\system32\drivers\ati1rvxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 26367 -c--a-w- c:\windows\system32\dllcache\ati1snxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 26367 ----a-w- c:\windows\system32\drivers\ati1snxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 29455 -c--a-w- c:\windows\system32\dllcache\ati1xbxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 29455 ----a-w- c:\windows\system32\drivers\ati1xbxx.sys
2012-02-23 01:13 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-22 23:53 . 2012-02-22 23:53 -------- d-----w- c:\documents and settings\Administrator.JACOB\Application Data\StreamTorrent
2012-02-21 21:43 . 2012-02-21 21:43 -------- d-----w- C:\$AVG
2012-02-21 00:29 . 2012-02-21 00:29 388096 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-21 00:07 . 2012-02-21 00:10 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-20 23:55 . 2012-02-20 23:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-20 23:54 . 2012-02-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-20 23:53 . 2012-02-20 23:53 -------- d-----w- c:\program files\AVG
2012-02-20 23:50 . 2012-02-23 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-02-20 19:59 . 2012-02-20 19:59 -------- d-----w- c:\documents and settings\Administrator.JACOB\Application Data\Malwarebytes
2012-02-20 17:34 . 2012-02-20 17:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Maxthon3
2012-02-20 06:11 . 2012-02-23 01:02 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-20 01:06 . 2012-02-20 01:06 -------- d-----w- c:\program files\47869
2012-02-20 01:06 . 2012-02-20 01:06 -------- d-----w- c:\documents and settings\jacoba\Application Data\DC747
2012-02-04 19:14 . 2012-02-04 19:14 53248 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 05:51 . 2011-12-29 05:51 1409 ----a-w- c:\windows\QTFont.for
2011-12-10 20:24 . 2010-01-25 19:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 00:01 . 2011-11-30 00:01 49152 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{C109AF5B-69D0-4C93-B360-F28D9FAB6084}\NewShortcut1_C109AF5B69D04C93B360F28D9FAB6084.exe
2011-11-29 23:53 . 2011-11-29 23:53 49152 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{502499DC-2EDB-45A2-8F7C-83E6E5DE067E}\NewShortcut1_502499DC2EDB45A28F7C83E6E5DE067E.exe
2011-11-29 23:18 . 2011-11-29 23:19 1174979 ----a-w- c:\windows\apppatch\unins000.exe
2012-01-07 15:10 . 2011-05-08 14:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_02.03.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-23 03:08 . 2012-02-23 03:08 16384 c:\windows\TEMP\Perflib_Perfdata_488.dat
+ 2012-02-23 03:09 . 2012-02-23 03:09 349255 c:\windows\TEMP\jna2314701077555388171.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-03-21 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"EPSON Stylus C62 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE" [2002-04-10 74240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-21 7774208]
"nwiz"="nwiz.exe" [2006-12-21 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-02 18782720]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2007-03-21 124928]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Utorrent\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2007 11:05 PM 691696]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/2/2009 10:19 AM 33824]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2/24/2010 5:22 AM 185472]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [9/16/2011 3:51 PM 21992]
R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [5/17/2011 2:27 AM 366872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/17/2009 9:23 AM 1684736]
S3 ByakkoDriver;ByakkoDriver;\??\c:\program files\CABAL Online (US)\Byakko.K32 --> c:\program files\CABAL Online (US)\Byakko.K32 [?]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [1/11/2010 1:21 PM 11264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2/20/2012 7:07 PM 24064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDongle
InterBaseServer
ahcix86s
agnwifi
vmauthdservice
interactivelogon
se44bus
raidmsvr
wstcodec
aolavupd
SiS300i
webrootcommagentservice
MSCamSvc
CX23880
SNMP
msfwsvc
O2SCBUS
rnadirectory
eelogsvc
eskerlicensecontrol
ccispwdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003Core.job
- c:\documents and settings\jacoba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 22:50]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003UA.job
- c:\documents and settings\jacoba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 22:50]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\jacoba\Application Data\Mozilla\Firefox\Profiles\cd1fcmie.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-22 22:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB33577$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ByakkoDriver]
"ImagePath"="\??\c:\program files\CABAL Online (US)\Byakko.K32"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\java.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2012-02-22 22:13:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 03:13
ComboFix2.txt 2012-02-23 02:46
ComboFix3.txt 2012-02-23 02:07
ComboFix4.txt 2008-06-07 21:55
.
Pre-Run: 182,476,177,408 bytes free
Post-Run: 182,462,820,352 bytes free
.
- - End Of File - - 63A9E9DC4FEE8921E7F0388BE0AFBFCD

Hopefully I did that right and thanks for all the help. :D

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:01 AM

Posted 23 February 2012 - 08:51 PM

Thanks, please delete your copy of Combofix (do not uninstall) and then download/run a new copy.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 23 February 2012 - 10:09 PM

So combofix went just like the previous times. It says rootkit.zeroaccess, but it freezes when I get to the "windows is shutting down" screen and eventually I have to manually re-boot it. I'm as certain as I can be that there's no more anti-virus running. I have mbam and hijackthis on here, but they don't run processes unless I run them actively do they? teatimer is off. I uninstalled the avg trial before my second post and the windows anti-virus and firewall are turned off and that's it as far as I know for anti-virus that has ever been on my computer.

Anyway, here's the latest combofix log:

ComboFix 12-02-23.02 - jacoba 02/23/2012 21:44:43.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2352 [GMT -5:00]
Running from: c:\documents and settings\jacoba\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB33577$\3038753316
c:\windows\$NtUninstallKB33577$\596877498\@
c:\windows\$NtUninstallKB33577$\596877498\cfg.ini
c:\windows\$NtUninstallKB33577$\596877498\Desktop.ini
c:\windows\$NtUninstallKB33577$\596877498\L\pgwjieic
c:\windows\$NtUninstallKB33577$\596877498\oemid
c:\windows\$NtUninstallKB33577$\596877498\U\00000001.@
c:\windows\$NtUninstallKB33577$\596877498\U\00000002.@
c:\windows\$NtUninstallKB33577$\596877498\U\00000004.@
c:\windows\$NtUninstallKB33577$\596877498\U\80000000.@
c:\windows\$NtUninstallKB33577$\596877498\U\80000004.@
c:\windows\$NtUninstallKB33577$\596877498\U\80000032.@
c:\windows\$NtUninstallKB33577$\596877498\version
c:\windows\TEMP\jna5864479413868799965.dll
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 02:37 . 2008-04-14 04:49 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-24 02:23 . 2008-04-14 05:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-24 02:23 . 2008-04-14 05:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-24 02:06 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-23 03:09 . 2008-04-14 05:45 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-02-23 03:09 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-23 02:49 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 02:02 . 2008-04-14 04:53 129535 -c--a-w- c:\windows\system32\dllcache\slnt7554.sys
2012-02-23 02:02 . 2008-04-14 04:53 129535 ----a-w- c:\windows\system32\drivers\slnt7554.sys
2012-02-23 02:02 . 2008-04-14 03:04 63663 -c--a-w- c:\windows\system32\dllcache\ati1rvxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 63663 ----a-w- c:\windows\system32\drivers\ati1rvxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 26367 -c--a-w- c:\windows\system32\dllcache\ati1snxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 26367 ----a-w- c:\windows\system32\drivers\ati1snxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 29455 -c--a-w- c:\windows\system32\dllcache\ati1xbxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 29455 ----a-w- c:\windows\system32\drivers\ati1xbxx.sys
2012-02-22 23:53 . 2012-02-22 23:53 -------- d-----w- c:\documents and settings\Administrator.JACOB\Application Data\StreamTorrent
2012-02-21 21:43 . 2012-02-21 21:43 -------- d-----w- C:\$AVG
2012-02-21 00:29 . 2012-02-21 00:29 388096 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-21 00:07 . 2012-02-21 00:10 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-20 23:55 . 2012-02-20 23:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-20 23:54 . 2012-02-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-20 23:53 . 2012-02-20 23:53 -------- d-----w- c:\program files\AVG
2012-02-20 23:50 . 2012-02-23 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-02-20 19:59 . 2012-02-20 19:59 -------- d-----w- c:\documents and settings\Administrator.JACOB\Application Data\Malwarebytes
2012-02-20 17:34 . 2012-02-20 17:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Maxthon3
2012-02-20 06:11 . 2012-02-24 02:34 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-20 01:06 . 2012-02-20 01:06 -------- d-----w- c:\program files\47869
2012-02-20 01:06 . 2012-02-20 01:06 -------- d-----w- c:\documents and settings\jacoba\Application Data\DC747
2012-02-04 19:14 . 2012-02-04 19:14 53248 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 05:51 . 2011-12-29 05:51 1409 ----a-w- c:\windows\QTFont.for
2011-12-10 20:24 . 2010-01-25 19:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 00:01 . 2011-11-30 00:01 49152 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{C109AF5B-69D0-4C93-B360-F28D9FAB6084}\NewShortcut1_C109AF5B69D04C93B360F28D9FAB6084.exe
2011-11-29 23:53 . 2011-11-29 23:53 49152 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{502499DC-2EDB-45A2-8F7C-83E6E5DE067E}\NewShortcut1_502499DC2EDB45A28F7C83E6E5DE067E.exe
2011-11-29 23:18 . 2011-11-29 23:19 1174979 ----a-w- c:\windows\apppatch\unins000.exe
2012-01-07 15:10 . 2011-05-08 14:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\erdnt\cache\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-03 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\erdnt\cache\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-03 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
.
c:\windows\System32\drivers\ipsec.sys ... is missing !!
c:\windows\System32\drivers\ipsec.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_02.03.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-24 02:44 . 2012-02-24 02:44 16384 c:\windows\TEMP\Perflib_Perfdata_290.dat
+ 2004-08-03 22:14 . 2008-04-14 05:48 52480 c:\windows\system32\dllcache\i8042prt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-03-21 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"EPSON Stylus C62 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE" [2002-04-10 74240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-21 7774208]
"nwiz"="nwiz.exe" [2006-12-21 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-02 18782720]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2007-03-21 124928]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Utorrent\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2007 11:05 PM 691696]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/2/2009 10:19 AM 33824]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2/24/2010 5:22 AM 185472]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [9/16/2011 3:51 PM 21992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [5/17/2011 2:27 AM 366872]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/17/2009 9:23 AM 1684736]
S3 ByakkoDriver;ByakkoDriver;\??\c:\program files\CABAL Online (US)\Byakko.K32 --> c:\program files\CABAL Online (US)\Byakko.K32 [?]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [1/11/2010 1:21 PM 11264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2/20/2012 7:07 PM 24064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDongle
InterBaseServer
ahcix86s
agnwifi
vmauthdservice
interactivelogon
se44bus
raidmsvr
wstcodec
aolavupd
SiS300i
webrootcommagentservice
MSCamSvc
CX23880
SNMP
msfwsvc
O2SCBUS
rnadirectory
eelogsvc
eskerlicensecontrol
ccispwdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003Core.job
- c:\documents and settings\jacoba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 22:50]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003UA.job
- c:\documents and settings\jacoba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 22:50]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\jacoba\Application Data\Mozilla\Firefox\Profiles\cd1fcmie.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 21:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB33577$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ByakkoDriver]
"ImagePath"="\??\c:\program files\CABAL Online (US)\Byakko.K32"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-23 21:58:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 02:58
ComboFix2.txt 2012-02-24 02:26
ComboFix3.txt 2012-02-23 02:46
ComboFix4.txt 2012-02-23 02:07
ComboFix5.txt 2012-02-24 02:36
.
Pre-Run: 182,873,452,544 bytes free
Post-Run: 182,859,063,296 bytes free
.
- - End Of File - - 679DE99259D4E4CC1B04DD50801C122A

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:01 AM

Posted 24 February 2012 - 12:05 AM

We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

KillAll::

Rootkit::
C:\WINDOWS\system32\WGX.dll
C:\WINDOWS\system32\s716mgmt.dll

NetSvc::
aolavupd
SiS300i

Driver::
aolavupd
SiS300i

ClearJavaCache::


4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 24 February 2012 - 08:18 AM

This didn't go well, I don't think. I dragged the script into combofix and it started to run as usual. This time it hung at my wallpaper instead of at the windows splash screen. I left it a long time and eventually manually rebooted. When it re-booted and ran it's scan or fix the desktop icons and toolbar were visible where usually on that run it's just my wallpaper. Then it froze at the wallpaper (icons are gone, just the wallpaper) again and I had to manually re-boot from there. When it started up again it produced the log, but I can no longer access the net. My local area connection says connected but the status shows 0's in and out, so I stuck the log on a flash drive and I'm posting it from work 'cause I didn't want to mess around trying to fix anything in case this was in any way intentional (although I think it's probably a byproduct of my manual reboots that it says you shouldn't do, but I didn't know what else to do if it just freezes). Anyway, here's the log. Hopefully you can tell me the next step before I leave work because I don't want to mess with the computer to make it connected again unless I get the go ahead from you and if not that means I won't be able to check anything until Monday.

ComboFix 12-02-23.02 - jacoba 02/24/2012 6:52.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2345 [GMT -5:00]
Running from: c:\documents and settings\jacoba\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jacoba\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB33577$\2944112543
c:\windows\$NtUninstallKB33577$\596877498\@
c:\windows\$NtUninstallKB33577$\596877498\cfg.ini
c:\windows\$NtUninstallKB33577$\596877498\Desktop.ini
c:\windows\$NtUninstallKB33577$\596877498\L\pgwjieic
c:\windows\$NtUninstallKB33577$\596877498\U\00000001.@
c:\windows\$NtUninstallKB33577$\596877498\U\00000002.@
c:\windows\$NtUninstallKB33577$\596877498\U\00000004.@
c:\windows\$NtUninstallKB33577$\596877498\U\80000000.@
c:\windows\$NtUninstallKB33577$\596877498\U\80000004.@
c:\windows\$NtUninstallKB33577$\596877498\U\80000032.@
c:\windows\$NtUninstallKB33577$\596877498\version
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AOLAVUPD
-------\Legacy_SIS300I
-------\Service_aolavupd
-------\Service_SiS300i
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 11:44 . 2008-04-14 04:47 456576 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-02-24 02:37 . 2008-04-14 04:49 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-24 02:23 . 2008-04-14 05:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-24 02:23 . 2008-04-14 05:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-24 02:06 . 2008-04-14 05:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-23 03:09 . 2008-04-14 05:45 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-02-23 03:09 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-23 02:49 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-23 02:02 . 2008-04-14 04:53 129535 -c--a-w- c:\windows\system32\dllcache\slnt7554.sys
2012-02-23 02:02 . 2008-04-14 03:04 63663 -c--a-w- c:\windows\system32\dllcache\ati1rvxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 26367 -c--a-w- c:\windows\system32\dllcache\ati1snxx.sys
2012-02-23 02:02 . 2008-04-14 03:04 29455 -c--a-w- c:\windows\system32\dllcache\ati1xbxx.sys
2012-02-22 23:53 . 2012-02-22 23:53 -------- d-----w- c:\documents and settings\Administrator.JACOB\Application Data\StreamTorrent
2012-02-21 21:43 . 2012-02-21 21:43 -------- d-----w- C:\$AVG
2012-02-21 00:29 . 2012-02-21 00:29 388096 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-21 00:07 . 2012-02-21 00:10 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-02-20 23:55 . 2012-02-20 23:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-20 23:54 . 2012-02-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-20 23:53 . 2012-02-20 23:53 -------- d-----w- c:\program files\AVG
2012-02-20 23:50 . 2012-02-23 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-02-20 19:59 . 2012-02-20 19:59 -------- d-----w- c:\documents and settings\Administrator.JACOB\Application Data\Malwarebytes
2012-02-20 17:34 . 2012-02-20 17:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Maxthon3
2012-02-20 06:11 . 2012-02-24 11:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-20 01:06 . 2012-02-20 01:06 -------- d-----w- c:\program files\47869
2012-02-20 01:06 . 2012-02-20 01:06 -------- d-----w- c:\documents and settings\jacoba\Application Data\DC747
2012-02-04 19:14 . 2012-02-04 19:14 53248 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 05:51 . 2011-12-29 05:51 1409 ----a-w- c:\windows\QTFont.for
2011-12-10 20:24 . 2010-01-25 19:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 00:01 . 2011-11-30 00:01 49152 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{C109AF5B-69D0-4C93-B360-F28D9FAB6084}\NewShortcut1_C109AF5B69D04C93B360F28D9FAB6084.exe
2011-11-29 23:53 . 2011-11-29 23:53 49152 ----a-r- c:\documents and settings\jacoba\Application Data\Microsoft\Installer\{502499DC-2EDB-45A2-8F7C-83E6E5DE067E}\NewShortcut1_502499DC2EDB45A28F7C83E6E5DE067E.exe
2011-11-29 23:18 . 2011-11-29 23:19 1174979 ----a-w- c:\windows\apppatch\unins000.exe
2012-01-07 15:10 . 2011-05-08 14:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\erdnt\cache\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 04:49 . 19DD19FB992D6BF67811913B6FEAE577 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-03 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\erdnt\cache\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 04:49 . 19DD19FB992D6BF67811913B6FEAE577 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-03 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_02.03.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 22:14 . 2008-04-14 05:48 52480 c:\windows\system32\dllcache\i8042prt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-03-21 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"EPSON Stylus C62 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE" [2002-04-10 74240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-21 7774208]
"nwiz"="nwiz.exe" [2006-12-21 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-02 18782720]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2007-03-21 124928]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EA SPORTS\\MVP Baseball 2005\\mvp2005.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Utorrent\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2007 11:05 PM 691696]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/2/2009 10:19 AM 33824]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2/24/2010 5:22 AM 185472]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [9/16/2011 3:51 PM 21992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [5/17/2011 2:27 AM 366872]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/17/2009 9:23 AM 1684736]
S3 ByakkoDriver;ByakkoDriver;\??\c:\program files\CABAL Online (US)\Byakko.K32 --> c:\program files\CABAL Online (US)\Byakko.K32 [?]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [1/11/2010 1:21 PM 11264]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2/20/2012 7:07 PM 24064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\Drivers\Pcouffin.sys --> c:\windows\system32\Drivers\Pcouffin.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDongle
InterBaseServer
ahcix86s
agnwifi
vmauthdservice
interactivelogon
se44bus
raidmsvr
wstcodec
webrootcommagentservice
MSCamSvc
CX23880
SNMP
msfwsvc
O2SCBUS
rnadirectory
eelogsvc
eskerlicensecontrol
ccispwdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003Core.job
- c:\documents and settings\jacoba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 22:50]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-261903793-839522115-1003UA.job
- c:\documents and settings\jacoba\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-11 22:50]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\jacoba\Application Data\Mozilla\Firefox\Profiles\cd1fcmie.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-24 07:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB33577$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ByakkoDriver]
"ImagePath"="\??\c:\program files\CABAL Online (US)\Byakko.K32"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-02-24 07:09:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 12:09
ComboFix2.txt 2012-02-24 02:58
ComboFix3.txt 2012-02-24 02:26
ComboFix4.txt 2012-02-23 02:46
ComboFix5.txt 2012-02-24 11:42
.
Pre-Run: 182,802,661,376 bytes free
Post-Run: 182,826,536,960 bytes free
.
- - End Of File - - 5CDE9405A2B4DB11CA3984EA69F54693

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:01 AM

Posted 24 February 2012 - 09:03 AM

Hi,

Another driver was patched again by the infection, this is the reason why you can no longer connect to the internet. The next fix is intended to correct this issue and so we're expecting that you can connect to the internet afterward.


:step1: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :Files
    ipconfig /flushdns /c
    c:\windows\system32\drivers\ipsec.sys|c:\windows\$NtServicePackUninstall$\ipsec.sys /replace
    rmdir C:\Windows\$NtUninstallKB33577$ /c
    
    :Commands
    [CREATERESTOREPOINT] 
    [REBOOT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.


:step2: Run OTL.
  • Click the None button at the top (Between "Run fix" and "Clean up" button).
  • Copy and Paste the following code into the Custom Scan box.

    /md5start
    ipsec.sys
    /md5stop
    netsvcs
    c:\windows\*. /SL
    c:\windows\*. /RP
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad windows.
  • Please copy (Edit->Select All, Edit->Copy) the contents of that file, and post them when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 24 February 2012 - 09:20 AM

Excellent. Thanks so much for the quick response. I'll print out your post and save it to my flash drive too. I'll run it as soon as I'm home and post the log (about 7 hours from now until I'm home, so in about 8 hours I'm guessing).

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:08:01 AM

Posted 24 February 2012 - 09:31 AM

:thumbup2:

Also, it's better to save those two different OTL scripts on a notepad and save them to the flash drive so that you can simply copy-paste them instead of typing them manually. Doing this will prevent any mistake or typos when the script is executed.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 spectr

spectr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 24 February 2012 - 04:50 PM

Okay, success so far, well maybe not based on the first sentence of the following log. Internet connectivity it back. OTL did not require a re-start, so it all happened at the same time. I ran the steps and here are the logs:

========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
C:\Documents and Settings\jacoba\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\jacoba\Desktop\cmd.txt deleted successfully.
File c:\windows\system32\drivers\ipsec.sys successfully replaced with c:\windows\$NtServicePackUninstall$\ipsec.sys
< rmdir C:\Windows\$NtUninstallKB33577$ /c >
C:\Documents and Settings\jacoba\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\jacoba\Desktop\cmd.txt deleted successfully.
File\Folder :Commands not found.
File\Folder [CREATERESTOREPOINT] not found.
File\Folder [REBOOT] not found.

OTL by OldTimer - Version 3.2.33.2 log created on 02242012_164045

OTL logfile created on: 2/24/2012 4:41:53 PM - Run 3
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\jacoba\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 2.25 Gb Available Physical Memory | 81.87% Memory free
5.34 Gb Paging File | 4.96 Gb Available in Paging File | 92.92% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 170.30 Gb Free Space | 57.13% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 284.97 Gb Free Space | 30.59% Space Free | Partition Type: NTFS

Computer Name: JACOB | User Name: jacoba | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: USBDongle - File not found
NetSvcs: InterBaseServer - File not found
NetSvcs: ahcix86s - File not found
NetSvcs: agnwifi - File not found
NetSvcs: vmauthdservice - File not found
NetSvcs: interactivelogon - File not found
NetSvcs: se44bus - File not found
NetSvcs: raidmsvr - File not found
NetSvcs: wstcodec - File not found
NetSvcs: webrootcommagentservice - File not found
NetSvcs: MSCamSvc - File not found
NetSvcs: CX23880 - File not found
NetSvcs: SNMP - File not found
NetSvcs: msfwsvc - File not found
NetSvcs: O2SCBUS - File not found
NetSvcs: rnadirectory - File not found
NetSvcs: eelogsvc - File not found
NetSvcs: eskerlicensecontrol - File not found
NetSvcs: ccispwdsvc - File not found
NetSvcs: WmdmPmSp - File not found

========== Custom Scans ==========



< MD5 for: IPSEC.SYS >
[2008/04/13 23:49:44 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\erdnt\cache\ipsec.sys
[2008/04/13 23:49:44 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2004/08/03 17:14:30 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys
[2004/08/03 17:14:30 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\system32\dllcache\ipsec.sys
[2004/08/03 17:14:30 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\system32\drivers\ipsec.sys

< c:\windows\*. /SL >

< c:\windows\*. /RP >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[c:\windows\$NtUninstallKB33577$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

Dare I hope we're getting close? Thanks again for all your work.

Edited by spectr, 24 February 2012 - 04:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users