Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check Malware - Can't Run DDS or GMER


  • Please log in to reply
27 replies to this topic

#1 jonesy4321

jonesy4321

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 16 March 2012 - 02:45 PM

Hi,
Within the past 24 hours or so my laptop began showing symptoms of System Check malware. I tried to follow your guide to self-remove the files, but I had no success. In preparing for this post, I also tried to run DDS and GMER. I can download DDS, but it stalls in the middle of running, requiring a system reboot. GMER downloads as well, but upon running the .exe produces an error:
load Driver ("C:Docume~1\Rob\LOCALS~1\Temp\pwryypod.sys") error - cannot create a stable subkey under a volatile parent key
After this error occurs, I am limited to only scanning some of the possible directories, which do not include all of the ones you recommend to investigate.

I had some success with using OTL to scan my system. Below I'll post the OTL.Txt file, followed by the Extras.Txt file.

OTL logfile created on: 3/16/2012 3:20:41 PM - Run 1
OTL by OldTimer - Version 3.2.37.1 Folder = C:\Documents and Settings\Rob\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.34 Gb Available Physical Memory | 67.31% Memory free
3.85 Gb Paging File | 3.39 Gb Available in Paging File | 88.12% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 46.32 Gb Free Space | 62.22% Space Free | Partition Type: NTFS

Computer Name: ZEROZEROONE | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/16 15:18:00 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.com
PRC - [2012/03/15 20:49:00 | 000,337,920 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe
PRC - [2012/02/28 16:09:15 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/07/27 07:06:44 | 000,267,488 | ---- | M] () -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
PRC - [2011/03/02 01:36:44 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2010/10/25 15:13:42 | 000,821,144 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
PRC - [2008/12/04 14:24:30 | 000,665,424 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/13 15:36:12 | 001,117,208 | ---- | M] (Memeo) -- C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
PRC - [2007/02/19 15:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
PRC - [2007/02/19 15:26:32 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/15 20:49:00 | 000,337,920 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe
MOD - [2012/02/28 16:09:14 | 001,911,768 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/02/20 11:13:36 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\29bdc8352d3c26e3c572ea60639dec3b\System.Web.ni.dll
MOD - [2012/02/20 11:13:25 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\11dcb806c92f55111f5fa9f1a90e3bdd\System.ServiceProcess.ni.dll
MOD - [2012/02/20 11:12:03 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\96e485c02ad346a2bd26a635e7fcb023\Microsoft.VisualBasic.ni.dll
MOD - [2012/02/20 11:11:43 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll
MOD - [2012/02/20 11:06:57 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll
MOD - [2012/02/20 11:06:46 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/20 11:06:27 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/20 11:06:02 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\ae888f8633fce3ff1de98e32bce0abbf\System.Data.ni.dll
MOD - [2012/02/16 02:03:40 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/02/16 02:02:34 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/02/16 02:02:26 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2012/01/03 11:37:30 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/10/13 17:01:37 | 008,522,400 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/07/27 07:06:44 | 000,267,488 | ---- | M] () -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2009/10/07 16:01:34 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2009/10/07 16:01:14 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2008/12/03 15:05:26 | 000,135,168 | ---- | M] () -- C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\ScanEngine.dll
MOD - [2008/11/26 11:56:02 | 000,057,344 | ---- | M] () -- C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\Satwain.dll
MOD - [2007/07/13 15:36:34 | 000,365,128 | ---- | M] () -- C:\Program Files\Memeo\AutoBackup\sqlite3.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Blaze Media Pro\NMSAccess32.exe -- (NMSAccess)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2011/12/29 11:41:47 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/07/27 07:06:44 | 000,267,488 | ---- | M] () [Auto | Running] -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe -- (Updater Service for StartNow Toolbar)
SRV - [2011/06/12 11:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2011/03/02 01:36:44 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2007/02/19 15:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\PCASp50.sys -- (PCASp50)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2011/12/23 08:12:12 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)
DRV - [2011/12/23 08:12:10 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2009/10/07 16:01:32 | 002,649,216 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/02/23 16:47:34 | 000,056,576 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/02/19 15:27:34 | 001,228,296 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 16:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/02/05 11:49:10 | 000,178,176 | R--- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2006/11/02 19:47:36 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 19:47:00 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/11/02 19:46:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/06/09 10:38:24 | 000,006,909 | R--- | M] (Conexant Systems, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UIUSYS.SYS -- (UIUSys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/mb59?u=92541677808226786
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{02D71254-493B-4FAC-8C58-284290F7248F}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{9B97950D-482C-1D79-568F-FC7B9D40C785}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z192&form=ZGAIDF&install_date=20111013&iesrc={referrer:source}
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/mb59/?search={searchTerms}&loc=search_box&u=92541677808226786
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "Bing"
FF - prefs.js..browser.search.order.1: "Bing"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.9.1.14019

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/07/21 17:27:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/28 16:09:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/03 23:40:43 | 000,000,000 | ---D | M]

[2011/03/02 03:50:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rob\Application Data\Mozilla\Extensions
[2011/10/18 10:27:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\k9r44cja.default\extensions
[2011/06/20 12:39:42 | 000,000,000 | ---D | M] (FoxLingo) -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\k9r44cja.default\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
[2011/10/13 17:03:52 | 000,001,945 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\k9r44cja.default\searchplugins\bing-zugo.xml
[2011/10/09 11:45:48 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\k9r44cja.default\searchplugins\conduit.xml
[2011/10/14 11:30:26 | 000,002,207 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\k9r44cja.default\searchplugins\MyStart Search.xml
[2012/01/03 11:59:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/28 16:09:16 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/07/19 05:05:25 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/11/18 17:44:16 | 001,680,272 | ---- | M] (Caminova, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll
[2012/02/15 18:13:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/03 16:33:01 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2012/02/15 18:13:56 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/12/29 15:02:54 | 000,439,920 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15128 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [ip3CcbRo8pL3nc] C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Rob\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk = File not found
O4 - Startup: C:\Documents and Settings\Rob\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk = C:\Documents and Settings\Rob\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe (Macrovision Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1317266828703 (MUCatalogWebControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1299042968709 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {8EF9626B-2251-4C5E-BD17-D5F3E0E98B03} http://airpennnet-help.net.isc.upenn.edu/xpc/tools/xc_loader_activex.ocx (xc_loader_activex.cntMain)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.91.2.13 128.91.254.1 128.91.251.158
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D}: NameServer = 128.91.2.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F2454586-07A7-431E-AFAD-DD1609082845}: DhcpNameServer = 128.91.2.13 128.91.254.1 128.91.251.158
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/02 00:02:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/16 15:18:04 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.com
[2012/03/16 15:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\gmer
[2012/03/16 15:04:36 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Rob\Desktop\dds.scr
[2012/03/16 14:01:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Rob\Start Menu\Programs\Administrative Tools
[2012/03/16 13:59:42 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Rob\Desktop\dds.com
[2012/03/16 13:29:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/03/16 00:41:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft Trojan Killer
[2012/03/16 00:41:44 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2012/03/16 00:34:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/03/16 00:29:44 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/03/16 00:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/03/16 00:28:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012/03/15 21:37:15 | 000,042,864 | R--- | C] (GFI Software) -- C:\WINDOWS\System32\SBBD.EXE
[2012/03/15 21:24:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Rob\Recent
[2012/03/15 20:49:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Start Menu\Programs\System Check
[2012/03/15 12:57:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\20120122_1BBL
[2012/03/05 19:39:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\RSC_W2007_COM_32_tcm18-126873
[2012/02/20 17:10:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\trpcage D mutants
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[20 C:\Documents and Settings\Rob\Desktop\*.tmp files -> C:\Documents and Settings\Rob\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/16 15:18:00 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.com
[2012/03/16 15:14:11 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\s69vx1gy.exe
[2012/03/16 15:11:32 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\gmer.zip
[2012/03/16 15:04:33 | 000,000,192 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~ip3CcbRo8pL3ncr
[2012/03/16 15:04:32 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~ip3CcbRo8pL3nc
[2012/03/16 15:04:28 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Rob\Desktop\dds.scr
[2012/03/16 15:00:19 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/03/16 15:00:04 | 000,024,981 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2012/03/16 15:00:01 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2012/03/16 14:59:56 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2012/03/16 14:59:38 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Rob\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
[2012/03/16 14:59:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/16 14:40:27 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/03/16 14:40:27 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/03/16 13:59:41 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Rob\Desktop\dds.com
[2012/03/16 13:57:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rob\defogger_reenable
[2012/03/16 13:55:57 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Defogger.exe
[2012/03/16 13:49:36 | 000,598,798 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/16 13:49:36 | 000,135,586 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/16 13:44:53 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2012/03/16 00:23:01 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc
[2012/03/15 23:15:57 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/15 21:22:44 | 000,000,062 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.lic
[2012/03/15 20:49:08 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/15 20:49:08 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\System Check.lnk
[2012/03/15 20:49:00 | 000,337,920 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe
[2012/03/14 15:46:04 | 004,989,618 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\spep.tga
[2012/03/14 15:43:27 | 000,016,033 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\speptide.pdb
[2012/03/14 15:41:50 | 000,137,862 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\1D5D.pdb
[2012/03/14 13:03:34 | 000,287,704 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/14 12:57:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/14 09:56:15 | 000,024,981 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2012/03/13 13:35:12 | 000,378,266 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\cool.PDF
[2012/03/12 09:47:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/06 13:35:10 | 000,174,063 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\hrmmm 2.PDF
[2012/03/02 11:29:14 | 000,000,584 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\grstyles.stl
[2012/02/29 12:47:04 | 001,433,418 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\gapsa database.PDF
[2012/02/25 17:07:54 | 000,042,659 | ---- | M] () -- C:\Documents and Settings\Rob\.recently-used.xbel
[2012/02/21 13:10:11 | 003,000,798 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\zinc finger.PDF
[2012/02/20 11:03:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[20 C:\Documents and Settings\Rob\Desktop\*.tmp files -> C:\Documents and Settings\Rob\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/16 15:14:12 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\s69vx1gy.exe
[2012/03/16 15:11:32 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\gmer.zip
[2012/03/16 13:57:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rob\defogger_reenable
[2012/03/16 13:56:05 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\Defogger.exe
[2012/03/15 23:15:57 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/15 21:22:44 | 000,000,062 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.lic
[2012/03/15 20:54:38 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/15 20:49:14 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~ip3CcbRo8pL3ncr
[2012/03/15 20:49:13 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~ip3CcbRo8pL3nc
[2012/03/15 20:49:08 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\System Check.lnk
[2012/03/15 20:49:05 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc
[2012/03/15 20:49:00 | 000,337,920 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe
[2012/03/14 15:46:04 | 004,989,618 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\spep.tga
[2012/03/14 15:42:36 | 000,016,033 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\speptide.pdb
[2012/03/14 15:41:48 | 000,137,862 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\1D5D.pdb
[2012/03/13 13:35:59 | 000,378,266 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\cool.PDF
[2012/03/06 13:36:25 | 000,174,063 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\hrmmm 2.PDF
[2012/02/29 12:47:09 | 001,433,418 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\gapsa database.PDF
[2012/02/25 17:07:54 | 000,042,659 | ---- | C] () -- C:\Documents and Settings\Rob\.recently-used.xbel
[2012/02/21 13:11:42 | 003,000,798 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\zinc finger.PDF
[2012/02/15 20:21:30 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 20:21:30 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2011/12/29 14:38:10 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/10/17 18:03:09 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat
[2011/10/14 11:15:10 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/28 16:11:33 | 000,000,197 | ---- | C] () -- C:\WINDOWS\cedt.INI
[2011/07/21 17:05:32 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011/07/18 13:18:22 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\PUTTY.RND
[2011/05/12 15:58:58 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/12 15:58:58 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/03/15 18:21:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2011/03/13 15:16:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/12 19:04:04 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2011/03/12 19:04:04 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2011/03/12 19:04:04 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2011/03/12 19:04:04 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2011/03/12 19:04:04 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2011/03/12 19:04:04 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2011/03/12 19:04:04 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2011/03/12 19:04:04 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2011/03/12 19:04:04 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2011/03/12 19:04:04 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2011/03/12 19:04:04 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2011/03/12 19:04:04 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2011/03/12 19:04:04 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2011/03/12 19:04:04 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2011/03/12 19:04:04 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2011/03/12 19:04:04 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2011/03/12 19:01:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPNX210.ini
[2011/03/02 12:53:09 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\winscp.rnd
[2011/03/02 12:06:00 | 000,000,158 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2011/03/02 03:49:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/02 03:34:10 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2011/03/02 03:34:09 | 000,025,088 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2011/03/02 03:34:08 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2011/03/02 00:51:16 | 000,024,981 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2011/03/02 00:50:41 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2011/03/02 00:50:41 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2011/03/02 00:50:41 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2011/03/02 00:50:39 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2011/03/02 00:50:38 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2011/03/02 00:50:36 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2011/03/02 00:50:35 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2011/03/02 00:50:30 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2011/03/02 00:50:28 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2011/03/02 00:05:50 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2011/03/02 00:04:48 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/03/01 23:59:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/03/01 18:52:09 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/03/01 18:50:59 | 000,287,704 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/01 18:50:53 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe

< End of report >

OTL Extras logfile created on: 3/16/2012 3:20:41 PM - Run 1
OTL by OldTimer - Version 3.2.37.1 Folder = C:\Documents and Settings\Rob\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.34 Gb Available Physical Memory | 67.31% Memory free
3.85 Gb Paging File | 3.39 Gb Available in Paging File | 88.12% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 46.32 Gb Free Space | 62.22% Space Free | Partition Type: NTFS

Computer Name: ZEROZEROONE | User Name: Rob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Epson Software\Event Manager\EEventManager.exe" = C:\Program Files\Epson Software\Event Manager\EEventManager.exe:*:Disabled:EEventManager Application -- (SEIKO EPSON CORPORATION)
"C:\Program Files\VEGA ZZ\VegaZZ.exe" = C:\Program Files\VEGA ZZ\VegaZZ.exe:*:Enabled:VEGA ZZ - The Ultimate Molecular Modelling Toolkit -- (Dipartimento di Scienze Farmaceutiche "Pietro Pratesi", Università degli Studi di Milano,Via Mangiagalli 25, I-20133, Milano (Italia))
"C:\Program Files\IncrediMail\Bin\IncMail.exe" = C:\Program Files\IncrediMail\Bin\IncMail.exe:*:Enabled:IncrediMail
"C:\Program Files\IncrediMail\Bin\ImApp.exe" = C:\Program Files\IncrediMail\Bin\ImApp.exe:*:Enabled:IncrediMail
"C:\Program Files\IncrediMail\Bin\ImpCnt.exe" = C:\Program Files\IncrediMail\Bin\ImpCnt.exe:*:Enabled:IncrediMail


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 27
"{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6BCEB97B-F315-455D-BC2D-565A1A6781E8}" = Memeo AutoBackup
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{824BDB0B-1D3F-43D7-BF20-4FC726E0D112}" = Document Express DjVu Plug-in
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E9976D2-E563-43DE-A51F-5AEBC38D1F08}" = Ad-Aware
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AAF4238F-7C29-451D-9925-C753271A5728}" = Microsoft Visual C++ Run Time Lib Setup
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C63DCEC6-814B-48DA-82F5-85BE5582CAAD}" = VMD 1.8.7
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ACDLabs in C__Program_Files_ACDFREE12_" = ACD/Labs Software in C:\Program Files\ACDFREE12\
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Crimson Editor SVN286" = Crimson Editor SVN286
"DW WLAN Card Utility" = DW WLAN Card Utility
"EPSON NX210 Series" = EPSON NX210 Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"Foxit Creator" = Foxit Creator
"Foxit Reader" = Foxit Reader
"ie8" = Windows Internet Explorer 8
"Inkscape" = Inkscape 0.48.1
"InstallShield_{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"MatlabR2007a" = MATLAB Student R2007a
"MatlabR2008b" = MATLAB Student R2008b
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Molekel" = Molekel
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"PyMOL" = PyMOL
"SecureW2 Enterprise Client" = SecureW2 Enterprise Client 3.5.2
"VEGA ZZ_is1" = VEGA ZZ 2.4.0
"VLC media player" = VLC media player 1.1.11
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"winscp3_is1" = WinSCP 4.3.3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{6BCEB97B-F315-455D-BC2D-565A1A6781E8}" = Memeo AutoBackup

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/16/2012 1:33:39 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 3/16/2012 1:33:39 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/16/2012 1:45:56 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 3/16/2012 1:45:56 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/16/2012 1:47:10 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 3/16/2012 1:47:10 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/16/2012 1:49:33 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 3/16/2012 1:49:33 PM | Computer Name = ZEROZEROONE | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/16/2012 2:00:43 PM | Computer Name = ZEROZEROONE | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

Error - 3/16/2012 2:41:26 PM | Computer Name = ZEROZEROONE | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

[ System Events ]
Error - 1/6/2012 3:28:01 PM | Computer Name = ZEROZEROONE | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 165.123.22.196
on the Network Card with network address 001644BEC2BF.

Error - 1/16/2012 2:16:03 PM | Computer Name = ZEROZEROONE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/16/2012 2:16:03 PM | Computer Name = ZEROZEROONE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/16/2012 2:16:19 PM | Computer Name = ZEROZEROONE | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/16/2012 2:16:19 PM | Computer Name = ZEROZEROONE | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/18/2012 8:05:59 PM | Computer Name = ZEROZEROONE | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 165.123.22.154
on the Network Card with network address 001644BEC2BF.

Error - 1/18/2012 10:42:14 PM | Computer Name = ZEROZEROONE | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 165.123.22.154
on the Network Card with network address 001644BEC2BF.

Error - 1/19/2012 5:00:41 PM | Computer Name = ZEROZEROONE | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 165.123.22.204
on the Network Card with network address 001644BEC2BF.

Error - 1/19/2012 5:01:36 PM | Computer Name = ZEROZEROONE | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001644BEC2BF. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 1/20/2012 2:11:41 PM | Computer Name = ZEROZEROONE | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 165.123.22.179
on the Network Card with network address 001644BEC2BF.


< End of report >

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 17 March 2012 - 09:39 PM

Welcome to Bleeping Computer, jonesy4321!

System Check is a member of the FakeHDD family, and is known to bundle with the TDL rootkit.

Let's see what the following short scan shows...

Please download RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement: Posted Image
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•XP: Double-click the program to run it

At the RogueKiller console...
•Press: SCAN

•When done, a report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.

Note:
If you cannot download, but can run programs, instead of downloading the program requested to the problem computer, download it to a clean computer.

Next, save it to a USB flash drive (or removable media), move it to the Desktop of the infected computer, and run the program as described on the instructions above.

Edited by Aaflac, 17 March 2012 - 09:41 PM.

Old duck...


#3 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 18 March 2012 - 07:01 PM

Aaflac,
Thank you very much for the quick reply. I was able to download RogueKiller on the infected laptop. The report follows:

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rob [Admin rights]
Mode: Scan -- Date: 03/18/2012 19:56:55

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : ip3CcbRo8pL3nc (C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-796845957-1604221776-839522115-1003[...]\Run : ip3CcbRo8pL3nc (C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe) -> FOUND
[SUSP PATH] Memeo AutoBackup Launcher.lnk @Rob : C:\Documents and Settings\Rob\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe -> FOUND
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D} : NameServer (128.91.2.13) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D} : NameServer (128.91.2.13) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8051GSY +++++
--- User ---
[MBR] 7fea61979db9a4605de161b3b8bb0a98
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 76230 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 8f5696359f60c60fed6c523e7415e27e
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 76230 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156296385 | Size: 2 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 18 March 2012 - 09:20 PM

Let's press on with RogueKiller...

•Please quit all programs
•Double-click the RogueKiller file to run the program
•Wait until the Prescan finishes

•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.

An RKreport (Mode: Delete) is created on the Desktop.
(The RKreport also opens using the Report button on the console.)
You need to provide this report in your reply.

•Once again at the RogueKiller console, click the DNS tab.
•Make sure the entries there are checked, if there is an option to do so.
•Then, press the [DNSFix] button.

An RKreport (Mode: DNSFix) is created on the Desktop.
(The RKreport also opens using the Report button on the console.)
You need to provide this report in your reply.

You should have 2 RogueKiller RKreports to post:
1. Mode: Delete
2. Mode: DNSFix

Old duck...


#5 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 18 March 2012 - 10:00 PM

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rob [Admin rights]
Mode: Remove -- Date: 03/18/2012 22:57:08

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : ip3CcbRo8pL3nc (C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe) -> DELETED
[SUSP PATH] Memeo AutoBackup Launcher.lnk @Rob : C:\Documents and Settings\Rob\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D} : NameServer (128.91.2.13) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D} : NameServer (128.91.2.13) -> NOT REMOVED, USE DNSFIX
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK8051GSY +++++
--- User ---
[MBR] 7fea61979db9a4605de161b3b8bb0a98
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 76230 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 8f5696359f60c60fed6c523e7415e27e
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 76230 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156296385 | Size: 2 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rob [Admin rights]
Mode: DNSFix -- Date: 03/18/2012 22:58:18

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D} : NameServer (128.91.2.13) -> REPLACED ()
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{1C3BF503-4C49-4E1F-96E1-150F5BA1CA1D} : NameServer (128.91.2.13) -> REPLACED ()

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 18 March 2012 - 10:01 PM

Let's also check the partitions in the hard drive to make sure malware has not created a hidden partition from which to 'operate'.

Please download ListParts
Save to the Desktop
Double-click the downloaded file to run the program.
Click: Scan
When done, please post the Result.txt in your reply.

Old duck...


#7 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 18 March 2012 - 10:04 PM

ListParts by Farbar Version: 12-03-2012 03
Ran by Rob (administrator) on 18-03-2012 at 23:03:09
Windows XP (X86)
Running From: C:\Documents and Settings\Rob\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 45%
Total physical RAM: 2045.89 MB
Available physical RAM: 1110.94 MB
Total Pagefile: 3938.67 MB
Available Pagefile: 3358.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.04 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.44 GB) (Free:46.33 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 86 MB 32 KB
Partition 2 Primary 74 GB 86 MB
Partition 3 Unknown 2544 KB 75 GB
======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 74 GB Healthy Boot
======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.
======================================================================================================

****** End Of Log ******

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 19 March 2012 - 07:44 PM

Please do the following:

Download an updated version of ComboFix

Save ComboFix.exe to the Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

Note: For information on how to disable protective programs, refer to this link

XP: Double-click on ComboFix.exe to run the program.

When given the option, DO install the Recovery Console . It provides repair options that are not otherwise available.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by Aaflac, 19 March 2012 - 08:02 PM.

Old duck...


#9 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 20 March 2012 - 06:30 PM

I seem to be encountering some difficulties in using ComboFix...

I can download and execute the program fine, but on the blue dos screen it seems like the scan stalls out without displaying any progress of the stages that it is going through, even after leaving it running for an hour or so. I rebooted and tried again a couple times, but haven't had any more success. Any suggestions?

Also, I'm currently running all of your requests through the normal startup, not safe mode. Should I switch over to that and try this step again?

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 20 March 2012 - 06:53 PM

Yes. Try running CF in Safe Mode.

If it does not run, we will do something else.

Old duck...


#11 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 20 March 2012 - 07:56 PM

It doesn't look like running ComboFix in safe mode has any improvement on functionality. What do you suggest next?

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 20 March 2012 - 09:20 PM

Let's see if this will work...

Please download the latest version of: TDSSKiller.exe
Save to the Desktop.

Execute the downloaded file:
XP: Double-click the file to run the program

In the TDSSKiller Scan console, click on: Change parameters
Check the box next to: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default).
Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection.
Please reboot!!


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system,
normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_22.02.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot.

Old duck...


#13 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 20 March 2012 - 09:50 PM

TDSSKiller worked, and required a reboot. The log follows:

22:41:24.0890 2444 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
22:41:25.0093 2444 ============================================================
22:41:25.0093 2444 Current date / time: 2012/03/20 22:41:25.0093
22:41:25.0093 2444 SystemInfo:
22:41:25.0093 2444
22:41:25.0093 2444 OS Version: 5.1.2600 ServicePack: 3.0
22:41:25.0093 2444 Product type: Workstation
22:41:25.0093 2444 ComputerName: ZEROZEROONE
22:41:25.0093 2444 UserName: Rob
22:41:25.0093 2444 Windows directory: C:\WINDOWS
22:41:25.0093 2444 System windows directory: C:\WINDOWS
22:41:25.0093 2444 Processor architecture: Intel x86
22:41:25.0093 2444 Number of processors: 2
22:41:25.0093 2444 Page size: 0x1000
22:41:25.0093 2444 Boot type: Normal boot
22:41:25.0093 2444 ============================================================
22:41:26.0281 2444 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:41:26.0281 2444 \Device\Harddisk0\DR0:
22:41:26.0281 2444 MBR used
22:41:26.0281 2444 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2B24B, BlocksNum 0x94E3276
22:41:26.0484 2444 Initialize success
22:41:26.0484 2444 ============================================================
22:42:30.0562 2948 ============================================================
22:42:30.0562 2948 Scan started
22:42:30.0562 2948 Mode: Manual; TDLFS;
22:42:30.0562 2948 ============================================================
22:42:30.0750 2948 Abiosdsk - ok
22:42:30.0765 2948 abp480n5 - ok
22:42:30.0812 2948 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:42:30.0812 2948 ACPI - ok
22:42:30.0843 2948 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:42:30.0843 2948 ACPIEC - ok
22:42:30.0859 2948 adpu160m - ok
22:42:30.0890 2948 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:42:30.0890 2948 aec - ok
22:42:30.0937 2948 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:42:30.0937 2948 AFD - ok
22:42:30.0953 2948 Aha154x - ok
22:42:30.0968 2948 aic78u2 - ok
22:42:30.0984 2948 aic78xx - ok
22:42:31.0000 2948 AliIde - ok
22:42:31.0000 2948 amsint - ok
22:42:31.0031 2948 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:42:31.0031 2948 Arp1394 - ok
22:42:31.0046 2948 asc - ok
22:42:31.0062 2948 asc3350p - ok
22:42:31.0078 2948 asc3550 - ok
22:42:31.0093 2948 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:42:31.0093 2948 AsyncMac - ok
22:42:31.0109 2948 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:42:31.0109 2948 atapi - ok
22:42:31.0125 2948 Atdisk - ok
22:42:31.0156 2948 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:42:31.0156 2948 Atmarpc - ok
22:42:31.0187 2948 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:42:31.0187 2948 audstub - ok
22:42:31.0265 2948 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
22:42:31.0265 2948 b57w2k - ok
22:42:31.0390 2948 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
22:42:31.0453 2948 BCM43XX - ok
22:42:31.0468 2948 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:42:31.0468 2948 Beep - ok
22:42:31.0546 2948 catchme - ok
22:42:31.0640 2948 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:42:31.0640 2948 cbidf2k - ok
22:42:31.0640 2948 cd20xrnt - ok
22:42:31.0687 2948 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:42:31.0687 2948 Cdaudio - ok
22:42:31.0734 2948 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:42:31.0734 2948 Cdfs - ok
22:42:31.0750 2948 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:42:31.0765 2948 Cdrom - ok
22:42:31.0781 2948 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
22:42:31.0781 2948 cercsr6 - ok
22:42:31.0781 2948 Changer - ok
22:42:31.0812 2948 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:42:31.0812 2948 CmBatt - ok
22:42:31.0828 2948 CmdIde - ok
22:42:31.0843 2948 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:42:31.0843 2948 Compbatt - ok
22:42:31.0859 2948 Cpqarray - ok
22:42:31.0875 2948 dac2w2k - ok
22:42:31.0890 2948 dac960nt - ok
22:42:31.0906 2948 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:42:31.0906 2948 Disk - ok
22:42:31.0953 2948 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:42:31.0968 2948 dmboot - ok
22:42:32.0000 2948 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:42:32.0000 2948 dmio - ok
22:42:32.0031 2948 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:42:32.0031 2948 dmload - ok
22:42:32.0062 2948 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:42:32.0062 2948 DMusic - ok
22:42:32.0140 2948 dpti2o - ok
22:42:32.0156 2948 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:42:32.0156 2948 drmkaud - ok
22:42:32.0187 2948 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:42:32.0187 2948 Fastfat - ok
22:42:32.0218 2948 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:42:32.0218 2948 Fdc - ok
22:42:32.0234 2948 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:42:32.0234 2948 Fips - ok
22:42:32.0250 2948 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:42:32.0250 2948 Flpydisk - ok
22:42:32.0281 2948 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:42:32.0281 2948 FltMgr - ok
22:42:32.0312 2948 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:42:32.0312 2948 Fs_Rec - ok
22:42:32.0328 2948 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:42:32.0328 2948 Ftdisk - ok
22:42:32.0343 2948 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:42:32.0343 2948 Gpc - ok
22:42:32.0375 2948 guardian2 (0e1fd1ea2837d6b7a1d7b6c928014d05) C:\WINDOWS\system32\Drivers\oz776.sys
22:42:32.0375 2948 guardian2 - ok
22:42:32.0390 2948 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:42:32.0390 2948 HDAudBus - ok
22:42:32.0421 2948 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:42:32.0421 2948 HidUsb - ok
22:42:32.0437 2948 hpn - ok
22:42:32.0468 2948 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
22:42:32.0468 2948 HSFHWAZL - ok
22:42:32.0515 2948 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:42:32.0531 2948 HSF_DPV - ok
22:42:32.0625 2948 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:42:32.0625 2948 HTTP - ok
22:42:32.0640 2948 i2omgmt - ok
22:42:32.0656 2948 i2omp - ok
22:42:32.0687 2948 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:42:32.0687 2948 i8042prt - ok
22:42:32.0703 2948 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:42:32.0703 2948 Imapi - ok
22:42:32.0718 2948 ini910u - ok
22:42:32.0734 2948 IntelIde - ok
22:42:32.0750 2948 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:42:32.0765 2948 intelppm - ok
22:42:32.0781 2948 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:42:32.0781 2948 Ip6Fw - ok
22:42:32.0812 2948 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:42:32.0828 2948 IpFilterDriver - ok
22:42:32.0843 2948 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:42:32.0843 2948 IpInIp - ok
22:42:32.0859 2948 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:42:32.0875 2948 IpNat - ok
22:42:32.0875 2948 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:42:32.0890 2948 IPSec - ok
22:42:32.0906 2948 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:42:32.0906 2948 IRENUM - ok
22:42:32.0937 2948 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:42:32.0937 2948 isapnp - ok
22:42:32.0953 2948 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:42:32.0953 2948 Kbdclass - ok
22:42:32.0984 2948 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:42:32.0984 2948 kmixer - ok
22:42:33.0015 2948 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:42:33.0015 2948 KSecDD - ok
22:42:33.0093 2948 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
22:42:33.0093 2948 Lbd - ok
22:42:33.0093 2948 lbrtfdc - ok
22:42:33.0140 2948 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:42:33.0140 2948 mdmxsdk - ok
22:42:33.0171 2948 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:42:33.0171 2948 mnmdd - ok
22:42:33.0203 2948 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:42:33.0203 2948 Modem - ok
22:42:33.0218 2948 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:42:33.0234 2948 Mouclass - ok
22:42:33.0250 2948 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:42:33.0250 2948 mouhid - ok
22:42:33.0265 2948 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:42:33.0265 2948 MountMgr - ok
22:42:33.0281 2948 mraid35x - ok
22:42:33.0296 2948 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:42:33.0296 2948 MRxDAV - ok
22:42:33.0343 2948 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:42:33.0343 2948 MRxSmb - ok
22:42:33.0359 2948 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:42:33.0375 2948 Msfs - ok
22:42:33.0390 2948 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:42:33.0390 2948 MSKSSRV - ok
22:42:33.0406 2948 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:42:33.0406 2948 MSPCLOCK - ok
22:42:33.0437 2948 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:42:33.0437 2948 MSPQM - ok
22:42:33.0453 2948 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:42:33.0453 2948 mssmbios - ok
22:42:33.0531 2948 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:42:33.0531 2948 Mup - ok
22:42:33.0562 2948 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:42:33.0578 2948 NDIS - ok
22:42:33.0609 2948 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:42:33.0609 2948 NdisTapi - ok
22:42:33.0625 2948 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:42:33.0625 2948 Ndisuio - ok
22:42:33.0640 2948 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:42:33.0656 2948 NdisWan - ok
22:42:33.0671 2948 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:42:33.0671 2948 NDProxy - ok
22:42:33.0687 2948 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:42:33.0687 2948 NetBIOS - ok
22:42:33.0718 2948 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:42:33.0718 2948 NetBT - ok
22:42:33.0750 2948 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:42:33.0765 2948 NIC1394 - ok
22:42:33.0781 2948 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:42:33.0781 2948 Npfs - ok
22:42:33.0812 2948 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:42:33.0828 2948 Ntfs - ok
22:42:33.0859 2948 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:42:33.0859 2948 Null - ok
22:42:34.0109 2948 nv (8129d762cc3e3c5ab9cf2eabc377fb73) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:42:34.0250 2948 nv - ok
22:42:34.0343 2948 NWADI (2d7e00b3899afffb800361d89a0c7660) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
22:42:34.0343 2948 NWADI - ok
22:42:34.0375 2948 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:42:34.0375 2948 NwlnkFlt - ok
22:42:34.0390 2948 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:42:34.0390 2948 NwlnkFwd - ok
22:42:34.0421 2948 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:42:34.0421 2948 ohci1394 - ok
22:42:34.0453 2948 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:42:34.0453 2948 Parport - ok
22:42:34.0468 2948 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:42:34.0468 2948 PartMgr - ok
22:42:34.0500 2948 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:42:34.0500 2948 ParVdm - ok
22:42:34.0515 2948 PCASp50 - ok
22:42:34.0531 2948 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:42:34.0531 2948 PCI - ok
22:42:34.0531 2948 PCIDump - ok
22:42:34.0562 2948 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:42:34.0562 2948 PCIIde - ok
22:42:34.0562 2948 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:42:34.0562 2948 Pcmcia - ok
22:42:34.0578 2948 PDCOMP - ok
22:42:34.0578 2948 PDFRAME - ok
22:42:34.0593 2948 PDRELI - ok
22:42:34.0593 2948 PDRFRAME - ok
22:42:34.0609 2948 perc2 - ok
22:42:34.0609 2948 perc2hib - ok
22:42:34.0656 2948 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:42:34.0656 2948 PptpMiniport - ok
22:42:34.0671 2948 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:42:34.0671 2948 PSched - ok
22:42:34.0687 2948 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:42:34.0687 2948 Ptilink - ok
22:42:34.0687 2948 ql1080 - ok
22:42:34.0703 2948 Ql10wnt - ok
22:42:34.0703 2948 ql12160 - ok
22:42:34.0718 2948 ql1240 - ok
22:42:34.0718 2948 ql1280 - ok
22:42:34.0734 2948 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:42:34.0734 2948 RasAcd - ok
22:42:34.0750 2948 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:42:34.0750 2948 Rasl2tp - ok
22:42:34.0765 2948 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:42:34.0765 2948 RasPppoe - ok
22:42:34.0765 2948 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:42:34.0765 2948 Raspti - ok
22:42:34.0781 2948 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:42:34.0796 2948 Rdbss - ok
22:42:34.0843 2948 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:42:34.0843 2948 RDPCDD - ok
22:42:34.0875 2948 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:42:34.0875 2948 rdpdr - ok
22:42:34.0906 2948 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
22:42:34.0906 2948 RDPWD - ok
22:42:34.0953 2948 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:42:34.0953 2948 redbook - ok
22:42:35.0062 2948 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:42:35.0062 2948 Secdrv - ok
22:42:35.0093 2948 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:42:35.0093 2948 serenum - ok
22:42:35.0109 2948 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:42:35.0109 2948 Serial - ok
22:42:35.0125 2948 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:42:35.0125 2948 Sfloppy - ok
22:42:35.0140 2948 Simbad - ok
22:42:35.0140 2948 Sparrow - ok
22:42:35.0171 2948 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:42:35.0171 2948 splitter - ok
22:42:35.0187 2948 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:42:35.0187 2948 sr - ok
22:42:35.0234 2948 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:42:35.0234 2948 Srv - ok
22:42:35.0296 2948 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
22:42:35.0296 2948 STHDA - ok
22:42:35.0359 2948 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:42:35.0359 2948 swenum - ok
22:42:35.0375 2948 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:42:35.0375 2948 swmidi - ok
22:42:35.0390 2948 symc810 - ok
22:42:35.0406 2948 symc8xx - ok
22:42:35.0421 2948 sym_hi - ok
22:42:35.0421 2948 sym_u3 - ok
22:42:35.0437 2948 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:42:35.0437 2948 sysaudio - ok
22:42:35.0484 2948 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:42:35.0484 2948 Tcpip - ok
22:42:35.0515 2948 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:42:35.0515 2948 TDPIPE - ok
22:42:35.0546 2948 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:42:35.0546 2948 TDTCP - ok
22:42:35.0562 2948 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:42:35.0562 2948 TermDD - ok
22:42:35.0578 2948 TosIde - ok
22:42:35.0609 2948 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:42:35.0609 2948 Udfs - ok
22:42:35.0640 2948 UIUSys (7020c64a20709b39cbe4a1cf371a9cd5) C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS
22:42:35.0640 2948 UIUSys - ok
22:42:35.0656 2948 ultra - ok
22:42:35.0703 2948 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:42:35.0703 2948 Update - ok
22:42:35.0843 2948 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:42:35.0843 2948 usbccgp - ok
22:42:35.0875 2948 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:42:35.0875 2948 usbehci - ok
22:42:35.0890 2948 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:42:35.0890 2948 usbhub - ok
22:42:35.0906 2948 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:42:35.0906 2948 usbprint - ok
22:42:35.0921 2948 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:42:35.0921 2948 usbscan - ok
22:42:35.0937 2948 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:42:35.0937 2948 USBSTOR - ok
22:42:35.0968 2948 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:42:35.0968 2948 usbuhci - ok
22:42:35.0984 2948 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:42:35.0984 2948 VgaSave - ok
22:42:35.0984 2948 ViaIde - ok
22:42:36.0015 2948 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:42:36.0015 2948 VolSnap - ok
22:42:36.0046 2948 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:42:36.0046 2948 Wanarp - ok
22:42:36.0046 2948 WDICA - ok
22:42:36.0078 2948 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:42:36.0078 2948 wdmaud - ok
22:42:36.0125 2948 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:42:36.0156 2948 winachsf - ok
22:42:36.0234 2948 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:42:36.0234 2948 WmiAcpi - ok
22:42:36.0265 2948 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:42:36.0281 2948 WS2IFSL - ok
22:42:36.0312 2948 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:42:36.0312 2948 WudfPf - ok
22:42:36.0343 2948 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:42:36.0343 2948 WudfRd - ok
22:42:36.0375 2948 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:42:36.0406 2948 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
22:42:36.0406 2948 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
22:42:36.0406 2948 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
22:42:36.0406 2948 \Device\Harddisk0\DR0 - detected TDSS File System (1)
22:42:36.0437 2948 Boot (0x1200) (d1ac8664eee51a993bec59559cf35ee5) \Device\Harddisk0\DR0\Partition0
22:42:36.0437 2948 \Device\Harddisk0\DR0\Partition0 - ok
22:42:36.0437 2948 ============================================================
22:42:36.0437 2948 Scan finished
22:42:36.0437 2948 ============================================================
22:42:36.0453 2936 Detected object count: 2
22:42:36.0453 2936 Actual detected object count: 2
22:43:02.0218 2936 \Device\Harddisk0\DR0\# - copied to quarantine
22:43:02.0218 2936 \Device\Harddisk0\DR0 - copied to quarantine
22:43:02.0250 2936 \Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine
22:43:02.0250 2936 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
22:43:02.0250 2936 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
22:43:02.0250 2936 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
22:43:02.0250 2936 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
22:43:02.0265 2936 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
22:43:02.0421 2936 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
22:43:02.0421 2936 \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine
22:43:02.0421 2936 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
22:43:02.0421 2936 \Device\Harddisk0\DR0 - ok
22:43:02.0437 2936 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
22:43:02.0437 2936 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
22:43:02.0437 2936 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
22:43:06.0015 3484 Deinitialize success

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:59 AM

Posted 20 March 2012 - 11:21 PM

On TDSSKiller...

Did its last run (above) need a reboot?


Please run it once again, and this time, when presented with the TDSS File System entry in Threats Detected, select: Delete

Then, post the TDSSKiller log in your reply.


Also download aswMBR

Save it to the Desktop.

XP: Double-click the downloaded file to run the program

When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to:
Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.

The last line will now say "Scanning" while in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!

Exit the program, and post the new aswMBR log in your reply.


Note that a file named MBR.dat is also created on the Desktop.

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

When you get to the website, use the Browse button to navigate to the location of MBR.dat
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Send File, and wait for the results.

If you get a message saying: 'File has already been analyzed', click: 'Reanalyze file now'

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.

Old duck...


#15 jonesy4321

jonesy4321
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 21 March 2012 - 11:09 AM

Yes, my first run of TDSSKiller did require a reboot upon deletion of the detected rootkit.

The new run of TDSSKiller according to your last reply had the following log file:

11:39:10.0812 4064 TDSS rootkit removing tool 2.7.21.0 Mar 21 2012 09:06:51
11:39:12.0812 4064 ============================================================
11:39:12.0812 4064 Current date / time: 2012/03/21 11:39:12.0812
11:39:12.0812 4064 SystemInfo:
11:39:12.0812 4064
11:39:12.0812 4064 OS Version: 5.1.2600 ServicePack: 3.0
11:39:12.0812 4064 Product type: Workstation
11:39:12.0812 4064 ComputerName: ZEROZEROONE
11:39:12.0828 4064 UserName: Rob
11:39:12.0828 4064 Windows directory: C:\WINDOWS
11:39:12.0828 4064 System windows directory: C:\WINDOWS
11:39:12.0828 4064 Processor architecture: Intel x86
11:39:12.0828 4064 Number of processors: 2
11:39:12.0828 4064 Page size: 0x1000
11:39:12.0828 4064 Boot type: Normal boot
11:39:12.0828 4064 ============================================================
11:39:14.0187 4064 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:39:14.0187 4064 \Device\Harddisk0\DR0:
11:39:14.0187 4064 MBR used
11:39:14.0187 4064 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2B24B, BlocksNum 0x94E3276
11:39:14.0437 4064 Initialize success
11:39:14.0437 4064 ============================================================
11:39:29.0125 0224 ============================================================
11:39:29.0125 0224 Scan started
11:39:29.0125 0224 Mode: Manual; TDLFS;
11:39:29.0125 0224 ============================================================
11:39:29.0343 0224 Abiosdsk - ok
11:39:29.0359 0224 abp480n5 - ok
11:39:29.0390 0224 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:39:29.0390 0224 ACPI - ok
11:39:29.0421 0224 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:39:29.0421 0224 ACPIEC - ok
11:39:29.0437 0224 adpu160m - ok
11:39:29.0453 0224 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:39:29.0453 0224 aec - ok
11:39:29.0484 0224 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:39:29.0484 0224 AFD - ok
11:39:29.0484 0224 Aha154x - ok
11:39:29.0500 0224 aic78u2 - ok
11:39:29.0500 0224 aic78xx - ok
11:39:29.0515 0224 AliIde - ok
11:39:29.0531 0224 amsint - ok
11:39:29.0546 0224 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:39:29.0546 0224 Arp1394 - ok
11:39:29.0562 0224 asc - ok
11:39:29.0562 0224 asc3350p - ok
11:39:29.0578 0224 asc3550 - ok
11:39:29.0593 0224 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:39:29.0593 0224 AsyncMac - ok
11:39:29.0609 0224 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:39:29.0609 0224 atapi - ok
11:39:29.0609 0224 Atdisk - ok
11:39:29.0625 0224 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:39:29.0625 0224 Atmarpc - ok
11:39:29.0656 0224 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:39:29.0656 0224 audstub - ok
11:39:29.0687 0224 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
11:39:29.0687 0224 b57w2k - ok
11:39:29.0781 0224 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
11:39:29.0796 0224 BCM43XX - ok
11:39:29.0859 0224 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:39:29.0859 0224 Beep - ok
11:39:29.0937 0224 catchme - ok
11:39:29.0968 0224 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:39:29.0968 0224 cbidf2k - ok
11:39:29.0984 0224 cd20xrnt - ok
11:39:30.0015 0224 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:39:30.0015 0224 Cdaudio - ok
11:39:30.0031 0224 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:39:30.0031 0224 Cdfs - ok
11:39:30.0046 0224 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:39:30.0046 0224 Cdrom - ok
11:39:30.0078 0224 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
11:39:30.0078 0224 cercsr6 - ok
11:39:30.0078 0224 Changer - ok
11:39:30.0109 0224 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:39:30.0109 0224 CmBatt - ok
11:39:30.0109 0224 CmdIde - ok
11:39:30.0125 0224 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:39:30.0125 0224 Compbatt - ok
11:39:30.0140 0224 Cpqarray - ok
11:39:30.0140 0224 dac2w2k - ok
11:39:30.0156 0224 dac960nt - ok
11:39:30.0171 0224 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:39:30.0171 0224 Disk - ok
11:39:30.0203 0224 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:39:30.0203 0224 dmboot - ok
11:39:30.0218 0224 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:39:30.0218 0224 dmio - ok
11:39:30.0250 0224 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:39:30.0250 0224 dmload - ok
11:39:30.0312 0224 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:39:30.0312 0224 DMusic - ok
11:39:30.0312 0224 dpti2o - ok
11:39:30.0343 0224 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:39:30.0343 0224 drmkaud - ok
11:39:30.0359 0224 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:39:30.0359 0224 Fastfat - ok
11:39:30.0390 0224 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
11:39:30.0390 0224 Fdc - ok
11:39:30.0390 0224 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:39:30.0390 0224 Fips - ok
11:39:30.0406 0224 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:39:30.0406 0224 Flpydisk - ok
11:39:30.0437 0224 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:39:30.0437 0224 FltMgr - ok
11:39:30.0484 0224 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:39:30.0484 0224 Fs_Rec - ok
11:39:30.0484 0224 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:39:30.0484 0224 Ftdisk - ok
11:39:30.0515 0224 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:39:30.0515 0224 Gpc - ok
11:39:30.0531 0224 guardian2 (0e1fd1ea2837d6b7a1d7b6c928014d05) C:\WINDOWS\system32\Drivers\oz776.sys
11:39:30.0531 0224 guardian2 - ok
11:39:30.0546 0224 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:39:30.0546 0224 HDAudBus - ok
11:39:30.0578 0224 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:39:30.0578 0224 HidUsb - ok
11:39:30.0578 0224 hpn - ok
11:39:30.0593 0224 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
11:39:30.0593 0224 HSFHWAZL - ok
11:39:30.0640 0224 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
11:39:30.0640 0224 HSF_DPV - ok
11:39:30.0734 0224 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:39:30.0734 0224 HTTP - ok
11:39:30.0734 0224 i2omgmt - ok
11:39:30.0750 0224 i2omp - ok
11:39:30.0750 0224 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:39:30.0750 0224 i8042prt - ok
11:39:30.0765 0224 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:39:30.0765 0224 Imapi - ok
11:39:30.0781 0224 ini910u - ok
11:39:30.0781 0224 IntelIde - ok
11:39:30.0796 0224 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:39:30.0796 0224 intelppm - ok
11:39:30.0828 0224 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:39:30.0828 0224 Ip6Fw - ok
11:39:30.0843 0224 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:39:30.0843 0224 IpFilterDriver - ok
11:39:30.0875 0224 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:39:30.0875 0224 IpInIp - ok
11:39:30.0890 0224 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:39:30.0890 0224 IpNat - ok
11:39:30.0921 0224 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:39:30.0921 0224 IPSec - ok
11:39:30.0937 0224 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:39:30.0937 0224 IRENUM - ok
11:39:30.0968 0224 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:39:30.0968 0224 isapnp - ok
11:39:30.0984 0224 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:39:30.0984 0224 Kbdclass - ok
11:39:31.0000 0224 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:39:31.0000 0224 kmixer - ok
11:39:31.0015 0224 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:39:31.0015 0224 KSecDD - ok
11:39:31.0046 0224 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
11:39:31.0046 0224 Lbd - ok
11:39:31.0046 0224 lbrtfdc - ok
11:39:31.0078 0224 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:39:31.0078 0224 mdmxsdk - ok
11:39:31.0109 0224 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:39:31.0109 0224 mnmdd - ok
11:39:31.0140 0224 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:39:31.0140 0224 Modem - ok
11:39:31.0187 0224 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:39:31.0187 0224 Mouclass - ok
11:39:31.0203 0224 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:39:31.0203 0224 mouhid - ok
11:39:31.0218 0224 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:39:31.0218 0224 MountMgr - ok
11:39:31.0218 0224 mraid35x - ok
11:39:31.0250 0224 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:39:31.0250 0224 MRxDAV - ok
11:39:31.0296 0224 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:39:31.0296 0224 MRxSmb - ok
11:39:31.0296 0224 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:39:31.0296 0224 Msfs - ok
11:39:31.0328 0224 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:39:31.0328 0224 MSKSSRV - ok
11:39:31.0390 0224 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:39:31.0390 0224 MSPCLOCK - ok
11:39:31.0421 0224 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:39:31.0421 0224 MSPQM - ok
11:39:31.0453 0224 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:39:31.0453 0224 mssmbios - ok
11:39:31.0468 0224 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:39:31.0468 0224 Mup - ok
11:39:31.0484 0224 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:39:31.0484 0224 NDIS - ok
11:39:31.0515 0224 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:39:31.0515 0224 NdisTapi - ok
11:39:31.0531 0224 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:39:31.0531 0224 Ndisuio - ok
11:39:31.0546 0224 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:39:31.0546 0224 NdisWan - ok
11:39:31.0578 0224 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:39:31.0578 0224 NDProxy - ok
11:39:31.0609 0224 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:39:31.0609 0224 NetBIOS - ok
11:39:31.0625 0224 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:39:31.0625 0224 NetBT - ok
11:39:31.0671 0224 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:39:31.0671 0224 NIC1394 - ok
11:39:31.0687 0224 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:39:31.0687 0224 Npfs - ok
11:39:31.0703 0224 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:39:31.0703 0224 Ntfs - ok
11:39:31.0734 0224 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:39:31.0734 0224 Null - ok
11:39:31.0921 0224 nv (8129d762cc3e3c5ab9cf2eabc377fb73) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:39:31.0953 0224 nv - ok
11:39:32.0046 0224 NWADI (2d7e00b3899afffb800361d89a0c7660) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
11:39:32.0046 0224 NWADI - ok
11:39:32.0062 0224 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:39:32.0062 0224 NwlnkFlt - ok
11:39:32.0078 0224 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:39:32.0078 0224 NwlnkFwd - ok
11:39:32.0109 0224 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:39:32.0109 0224 ohci1394 - ok
11:39:32.0125 0224 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
11:39:32.0125 0224 Parport - ok
11:39:32.0140 0224 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:39:32.0140 0224 PartMgr - ok
11:39:32.0156 0224 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:39:32.0156 0224 ParVdm - ok
11:39:32.0171 0224 PCASp50 - ok
11:39:32.0187 0224 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:39:32.0187 0224 PCI - ok
11:39:32.0187 0224 PCIDump - ok
11:39:32.0218 0224 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:39:32.0218 0224 PCIIde - ok
11:39:32.0218 0224 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
11:39:32.0218 0224 Pcmcia - ok
11:39:32.0234 0224 PDCOMP - ok
11:39:32.0234 0224 PDFRAME - ok
11:39:32.0250 0224 PDRELI - ok
11:39:32.0265 0224 PDRFRAME - ok
11:39:32.0265 0224 perc2 - ok
11:39:32.0281 0224 perc2hib - ok
11:39:32.0312 0224 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:39:32.0312 0224 PptpMiniport - ok
11:39:32.0328 0224 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:39:32.0328 0224 PSched - ok
11:39:32.0359 0224 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:39:32.0359 0224 Ptilink - ok
11:39:32.0375 0224 ql1080 - ok
11:39:32.0375 0224 Ql10wnt - ok
11:39:32.0390 0224 ql12160 - ok
11:39:32.0406 0224 ql1240 - ok
11:39:32.0406 0224 ql1280 - ok
11:39:32.0421 0224 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:39:32.0421 0224 RasAcd - ok
11:39:32.0437 0224 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:39:32.0437 0224 Rasl2tp - ok
11:39:32.0453 0224 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:39:32.0453 0224 RasPppoe - ok
11:39:32.0468 0224 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:39:32.0468 0224 Raspti - ok
11:39:32.0484 0224 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:39:32.0500 0224 Rdbss - ok
11:39:32.0515 0224 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:39:32.0515 0224 RDPCDD - ok
11:39:32.0531 0224 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:39:32.0531 0224 rdpdr - ok
11:39:32.0593 0224 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
11:39:32.0593 0224 RDPWD - ok
11:39:32.0656 0224 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:39:32.0656 0224 redbook - ok
11:39:32.0703 0224 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:39:32.0703 0224 Secdrv - ok
11:39:32.0734 0224 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:39:32.0734 0224 serenum - ok
11:39:32.0750 0224 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:39:32.0750 0224 Serial - ok
11:39:32.0765 0224 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:39:32.0765 0224 Sfloppy - ok
11:39:32.0781 0224 Simbad - ok
11:39:32.0796 0224 Sparrow - ok
11:39:32.0812 0224 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:39:32.0812 0224 splitter - ok
11:39:32.0828 0224 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:39:32.0828 0224 sr - ok
11:39:32.0875 0224 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:39:32.0875 0224 Srv - ok
11:39:32.0937 0224 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
11:39:32.0953 0224 STHDA - ok
11:39:32.0968 0224 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:39:32.0968 0224 swenum - ok
11:39:33.0000 0224 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:39:33.0000 0224 swmidi - ok
11:39:33.0046 0224 symc810 - ok
11:39:33.0046 0224 symc8xx - ok
11:39:33.0062 0224 sym_hi - ok
11:39:33.0078 0224 sym_u3 - ok
11:39:33.0109 0224 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:39:33.0109 0224 sysaudio - ok
11:39:33.0171 0224 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:39:33.0171 0224 Tcpip - ok
11:39:33.0203 0224 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:39:33.0203 0224 TDPIPE - ok
11:39:33.0218 0224 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:39:33.0218 0224 TDTCP - ok
11:39:33.0250 0224 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:39:33.0250 0224 TermDD - ok
11:39:33.0265 0224 TosIde - ok
11:39:33.0296 0224 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:39:33.0296 0224 Udfs - ok
11:39:33.0328 0224 UIUSys (7020c64a20709b39cbe4a1cf371a9cd5) C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS
11:39:33.0328 0224 UIUSys - ok
11:39:33.0343 0224 ultra - ok
11:39:33.0406 0224 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:39:33.0406 0224 Update - ok
11:39:33.0468 0224 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:39:33.0468 0224 usbccgp - ok
11:39:33.0546 0224 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:39:33.0546 0224 usbehci - ok
11:39:33.0578 0224 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:39:33.0578 0224 usbhub - ok
11:39:33.0593 0224 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:39:33.0593 0224 usbprint - ok
11:39:33.0625 0224 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:39:33.0625 0224 usbscan - ok
11:39:33.0640 0224 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:39:33.0640 0224 USBSTOR - ok
11:39:33.0671 0224 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:39:33.0671 0224 usbuhci - ok
11:39:33.0687 0224 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:39:33.0687 0224 VgaSave - ok
11:39:33.0703 0224 ViaIde - ok
11:39:33.0718 0224 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:39:33.0718 0224 VolSnap - ok
11:39:33.0750 0224 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:39:33.0750 0224 Wanarp - ok
11:39:33.0765 0224 WDICA - ok
11:39:33.0781 0224 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:39:33.0781 0224 wdmaud - ok
11:39:33.0843 0224 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:39:33.0843 0224 winachsf - ok
11:39:33.0890 0224 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
11:39:33.0890 0224 WmiAcpi - ok
11:39:33.0921 0224 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:39:33.0921 0224 WS2IFSL - ok
11:39:34.0000 0224 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:39:34.0015 0224 WudfPf - ok
11:39:34.0031 0224 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:39:34.0031 0224 WudfRd - ok
11:39:34.0062 0224 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:39:34.0390 0224 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
11:39:34.0390 0224 \Device\Harddisk0\DR0 - detected TDSS File System (1)
11:39:34.0406 0224 Boot (0x1200) (d1ac8664eee51a993bec59559cf35ee5) \Device\Harddisk0\DR0\Partition0
11:39:34.0406 0224 \Device\Harddisk0\DR0\Partition0 - ok
11:39:34.0406 0224 ============================================================
11:39:34.0406 0224 Scan finished
11:39:34.0406 0224 ============================================================
11:39:34.0421 2536 Detected object count: 1
11:39:34.0421 2536 Actual detected object count: 1
11:42:17.0031 2536 \Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine
11:42:17.0046 2536 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
11:42:17.0046 2536 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
11:42:17.0046 2536 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
11:42:17.0046 2536 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
11:42:17.0046 2536 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
11:42:17.0046 2536 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
11:42:17.0093 2536 \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine
11:42:17.0093 2536 \Device\Harddisk0\DR0\TDLFS - deleted
11:42:17.0093 2536 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
11:42:23.0968 3072 Deinitialize success

The aswMBR log file is as follows:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-21 11:43:24
-----------------------------
11:43:24.625 OS Version: Windows 5.1.2600 Service Pack 3
11:43:24.625 Number of processors: 2 586 0x1706
11:43:24.625 ComputerName: ZEROZEROONE UserName: Rob
11:43:24.968 Initialize success
11:46:41.484 AVAST engine defs: 12032000
11:47:08.015 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:47:08.015 Disk 0 Vendor: TOSHIBA_MK8051GSY LD201D Size: 76319MB BusType: 3
11:47:08.046 Disk 0 MBR read successfully
11:47:08.046 Disk 0 MBR scan
11:47:08.078 Disk 0 Windows XP default MBR code
11:47:08.078 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
11:47:08.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76230 MB offset 176715
11:47:08.093 Disk 0 scanning sectors +156296385
11:47:08.171 Disk 0 scanning C:\WINDOWS\system32\drivers
11:47:15.546 Service scanning
11:47:31.312 Modules scanning
11:47:43.296 Disk 0 trace - called modules:
11:47:43.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:47:43.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a599ab8]
11:47:43.328 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a685d98]
11:47:43.781 AVAST engine scan C:\WINDOWS
11:47:59.140 AVAST engine scan C:\WINDOWS\system32
11:49:51.828 AVAST engine scan C:\WINDOWS\system32\drivers
11:50:01.750 AVAST engine scan C:\Documents and Settings\Rob
11:54:07.406 File: C:\Documents and Settings\Rob\Desktop\RK_Quarantine\ip3CcbRo8pL3nc.exe.vir **INFECTED** Win32:FakeSysdefs-A [Trj]
11:57:29.765 AVAST engine scan C:\Documents and Settings\All Users
11:57:32.593 File: C:\Documents and Settings\All Users\Application Data\ip3CcbRo8pL3nc.exe **INFECTED** Win32:FakeSysdefs-A [Trj]
11:58:22.546 Scan finished successfully
11:58:53.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Rob\Desktop\MBR.dat"
11:58:53.843 The log file has been saved successfully to "C:\Documents and Settings\Rob\Desktop\aswMBR.txt"


The web address for the VirusTotal analysis of the MBR.dat file follows:
https://www.virustotal.com/file/e6fbb3fa0288be221f81cd5b87fe6f9ab44b61c135e5811e13b3488982e61767/analysis/1332345622/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users