Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaned out SMART HDD, still have a rootkit / google redirects


  • This topic is locked This topic is locked
41 replies to this topic

#16 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 April 2012 - 07:05 PM

29.1M Apr 14 2012 /mnt/sda2/WINDOWS/system32/config/software
6.3M Apr 14 2012 /mnt/sda2/WINDOWS/system32/config/system

29.0M Jan 22 00:37 /sda2/~/RP408/~SOFTWARE
29.0M Jan 23 02:59 /sda2/~/RP409/~SOFTWARE
29.0M Jan 25 01:07 /sda2/~/RP410/~SOFTWARE
29.0M Jan 26 16:01 /sda2/~/RP411/~SOFTWARE
29.0M Jan 28 20:16 /sda2/~/RP412/~SOFTWARE
29.0M Jan 30 00:02 /sda2/~/RP413/~SOFTWARE
29.0M Jan 31 23:28 /sda2/~/RP414/~SOFTWARE
29.0M Feb 2 00:50 /sda2/~/RP415/~SOFTWARE
29.0M Feb 3 02:26 /sda2/~/RP416/~SOFTWARE
29.0M Feb 4 15:43 /sda2/~/RP417/~SOFTWARE
29.0M Feb 5 18:07 /sda2/~/RP418/~SOFTWARE
29.0M Feb 7 01:12 /sda2/~/RP419/~SOFTWARE
29.0M Feb 9 21:41 /sda2/~/RP420/~SOFTWARE
29.0M Feb 12 15:13 /sda2/~/RP421/~SOFTWARE
29.0M Feb 13 15:50 /sda2/~/RP422/~SOFTWARE
29.0M Feb 14 17:09 /sda2/~/RP423/~SOFTWARE
29.0M Feb 16 02:42 /sda2/~/RP424/~SOFTWARE
29.0M Feb 16 05:15 /sda2/~/RP425/~SOFTWARE
29.1M Feb 18 01:32 /sda2/~/RP426/~SOFTWARE
29.1M Feb 19 17:22 /sda2/~/RP427/~SOFTWARE
29.1M Feb 21 23:24 /sda2/~/RP429/~SOFTWARE
29.1M Feb 23 22:49 /sda2/~/RP430/~SOFTWARE
29.1M Feb 24 23:18 /sda2/~/RP431/~SOFTWARE
29.1M Feb 26 06:13 /sda2/~/RP432/~SOFTWARE
29.1M Feb 28 02:42 /sda2/~/RP433/~SOFTWARE
29.1M Mar 1 00:28 /sda2/~/RP434/~SOFTWARE
29.1M Mar 4 17:18 /sda2/~/RP435/~SOFTWARE
29.1M Mar 6 00:12 /sda2/~/RP436/~SOFTWARE
29.1M Mar 7 22:44 /sda2/~/RP437/~SOFTWARE
29.1M Mar 9 00:24 /sda2/~/RP438/~SOFTWARE
29.1M Mar 10 01:28 /sda2/~/RP439/~SOFTWARE
29.1M Mar 11 18:43 /sda2/~/RP440/~SOFTWARE
29.1M Mar 13 22:09 /sda2/~/RP441/~SOFTWARE
29.1M Mar 14 03:27 /sda2/~/RP442/~SOFTWARE
29.1M Mar 15 19:23 /sda2/~/RP443/~SOFTWARE
29.1M Mar 17 21:35 /sda2/~/RP444/~SOFTWARE
29.1M Mar 18 23:05 /sda2/~/RP445/~SOFTWARE
29.1M Mar 19 23:38 /sda2/~/RP446/~SOFTWARE
29.1M Mar 22 01:43 /sda2/~/RP447/~SOFTWARE
29.1M Mar 26 22:54 /sda2/~/RP448/~SOFTWARE
29.1M Mar 29 06:26 /sda2/~/RP449/~SOFTWARE
29.1M Mar 31 16:49 /sda2/~/RP450/~SOFTWARE
29.1M Apr 1 20:46 /sda2/~/RP451/~SOFTWARE
29.1M Apr 2 02:44 /sda2/~/RP452/~SOFTWARE
29.1M Apr 4 02:07 /sda2/~/RP453/~SOFTWARE
29.1M Apr 5 21:58 /sda2/~/RP454/~SOFTWARE
29.1M Apr 11 00:58 /sda2/~/RP455/~SOFTWARE
29.1M Apr 12 02:27 /sda2/~/RP456/~SOFTWARE
29.0M Jan 14 04:28 /sda2/~/RP402/~SOFTWARE
29.0M Jan 15 16:40 /sda2/~/RP403/~SOFTWARE
29.0M Jan 16 17:27 /sda2/~/RP404/~SOFTWARE
29.0M Jan 17 04:55 /sda2/~/RP405/~SOFTWARE
29.0M Jan 18 22:46 /sda2/~/RP406/~SOFTWARE
29.0M Jan 21 00:11 /sda2/~/RP407/~SOFTWARE
29.1M Feb 20 19:49 /sda2/~/RP428/~SOFTWARE
6.0M Jan 22 00:37 /sda2/~/RP408/~SYSTEM
6.0M Jan 23 02:59 /sda2/~/RP409/~SYSTEM
6.0M Jan 25 01:07 /sda2/~/RP410/~SYSTEM
6.0M Jan 26 16:01 /sda2/~/RP411/~SYSTEM
6.0M Jan 28 20:16 /sda2/~/RP412/~SYSTEM
6.0M Jan 30 00:02 /sda2/~/RP413/~SYSTEM
6.0M Jan 31 23:28 /sda2/~/RP414/~SYSTEM
6.0M Feb 2 00:50 /sda2/~/RP415/~SYSTEM
6.0M Feb 3 02:26 /sda2/~/RP416/~SYSTEM
6.0M Feb 4 15:43 /sda2/~/RP417/~SYSTEM
6.0M Feb 5 18:07 /sda2/~/RP418/~SYSTEM
6.0M Feb 7 01:12 /sda2/~/RP419/~SYSTEM
6.0M Feb 9 21:41 /sda2/~/RP420/~SYSTEM
6.0M Feb 12 15:13 /sda2/~/RP421/~SYSTEM
6.0M Feb 13 15:51 /sda2/~/RP422/~SYSTEM
6.0M Feb 14 17:09 /sda2/~/RP423/~SYSTEM
6.0M Feb 16 02:42 /sda2/~/RP424/~SYSTEM
6.0M Feb 16 05:15 /sda2/~/RP425/~SYSTEM
6.0M Feb 18 01:32 /sda2/~/RP426/~SYSTEM
6.0M Feb 19 17:22 /sda2/~/RP427/~SYSTEM
6.0M Feb 21 23:24 /sda2/~/RP429/~SYSTEM
6.0M Feb 23 22:49 /sda2/~/RP430/~SYSTEM
6.0M Feb 24 23:18 /sda2/~/RP431/~SYSTEM
6.0M Feb 26 06:13 /sda2/~/RP432/~SYSTEM
6.0M Feb 28 02:42 /sda2/~/RP433/~SYSTEM
6.0M Mar 1 00:28 /sda2/~/RP434/~SYSTEM
6.0M Mar 4 17:18 /sda2/~/RP435/~SYSTEM
6.0M Mar 6 00:12 /sda2/~/RP436/~SYSTEM
6.0M Mar 7 22:44 /sda2/~/RP437/~SYSTEM
6.0M Mar 9 00:24 /sda2/~/RP438/~SYSTEM
6.0M Mar 10 01:28 /sda2/~/RP439/~SYSTEM
6.0M Mar 11 18:43 /sda2/~/RP440/~SYSTEM
6.0M Mar 13 22:09 /sda2/~/RP441/~SYSTEM
6.0M Mar 14 03:27 /sda2/~/RP442/~SYSTEM
6.0M Mar 15 19:23 /sda2/~/RP443/~SYSTEM
6.0M Mar 17 21:35 /sda2/~/RP444/~SYSTEM
6.0M Mar 18 23:05 /sda2/~/RP445/~SYSTEM
6.0M Mar 19 23:38 /sda2/~/RP446/~SYSTEM
6.0M Mar 22 01:43 /sda2/~/RP447/~SYSTEM
6.0M Mar 26 22:54 /sda2/~/RP448/~SYSTEM
6.0M Mar 29 06:26 /sda2/~/RP449/~SYSTEM
6.0M Mar 31 16:49 /sda2/~/RP450/~SYSTEM
6.0M Apr 1 20:46 /sda2/~/RP451/~SYSTEM
6.0M Apr 2 02:44 /sda2/~/RP452/~SYSTEM
6.0M Apr 4 02:07 /sda2/~/RP453/~SYSTEM
6.1M Apr 5 21:58 /sda2/~/RP454/~SYSTEM
6.1M Apr 11 00:58 /sda2/~/RP455/~SYSTEM
6.1M Apr 12 02:27 /sda2/~/RP456/~SYSTEM
6.0M Jan 14 04:28 /sda2/~/RP402/~SYSTEM
6.0M Jan 15 16:40 /sda2/~/RP403/~SYSTEM
6.0M Jan 16 17:27 /sda2/~/RP404/~SYSTEM
6.0M Jan 17 04:55 /sda2/~/RP405/~SYSTEM
6.0M Jan 18 22:46 /sda2/~/RP406/~SYSTEM
6.0M Jan 21 00:11 /sda2/~/RP407/~SYSTEM
6.0M Feb 20 19:49 /sda2/~/RP428/~SYSTEM

BC AdBot (Login to Remove)

 


#17 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 14 April 2012 - 07:49 PM

That's a good list. Our goal here is to restore the machine to an earlier time when the infection had not gripped the machine and allow us to boot back in so we can then deal with it. This won't clean the machine but can give us access.

You state that this infection hit you around April 1 so we'll use a point from a week or so earlier and let's see if we can use it to help get your computer booting properly

  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 447
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review and hold tight, don't try and do anything on the machine until I have seen the log.
Posted Image
m0le is a proud member of UNITE

#18 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 14 April 2012 - 08:41 PM

SOFTWARE hive restored from RP447
SYSTEM hive restored from RP447
SECURITY hive restored from RP447
SAM hive restored from RP447

The infected machine boots fine

#19 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 15 April 2012 - 05:27 AM

Please avoid rebooting the machine at this time. Now we can scan and see what else might be in the system. We'll start with a non-invasive rootkit scan

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Edited by m0le, 15 April 2012 - 05:27 AM.

Posted Image
m0le is a proud member of UNITE

#20 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 April 2012 - 07:51 PM

Yeah, ASWMBR still doesn't run.

#21 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 15 April 2012 - 08:12 PM

If you can boot into safe mode, please try aswMBR there
Posted Image
m0le is a proud member of UNITE

#22 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 April 2012 - 09:03 AM

aswMBR still doesn't work in safe mode either.

#23 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 16 April 2012 - 01:30 PM

Please run OTL, this should run and should help us work out what ZeroAccess has done to your machine. Let me know if anything becomes more difficult to do than before. As long as we have a booting machine we should be able to clean this one.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#24 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 April 2012 - 02:33 PM

OTL logfile created on: 4/16/2012 3:23:04 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Walter\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.34 Mb Total Physical Memory | 629.90 Mb Available Physical Memory | 62.10% Memory free
2.38 Gb Paging File | 2.11 Gb Available in Paging File | 88.35% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.97 Gb Total Space | 16.20 Gb Free Space | 10.88% Space Free | Partition Type: NTFS
Drive D: | 1.87 Gb Total Space | 1.86 Gb Free Space | 99.47% Space Free | Partition Type: FAT

Computer Name: D9VCNLK1 | User Name: Walter | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Walter\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\CapsLKNotify\CapsLKNotify.exe (Compal Electronics, Inc)
PRC - C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
PRC - C:\Program Files\Battery Meter\BTMeter.exe (Dell)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\QuickTime\QTSystem\QTCF.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\objc.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\WINDOWS\system32\EMSC.DLL ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()


========== Win32 Services (SafeList) ==========

SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (HTCAND32) -- System32\Drivers\ANDROIDUSB.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Walter\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (Lbd) -- C:\WINDOWS\system32\drivers\Lbd.sys (Lavasoft AB)
DRV - (RSUSBSTOR) -- C:\WINDOWS\system32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (CtClsFlt) -- C:\WINDOWS\system32\drivers\CtClsFlt.sys (Creative Technology Ltd.)
DRV - (OA012Vid) -- C:\WINDOWS\system32\drivers\OA012Vid.sys (Creative Technology Ltd.)
DRV - (OA012Afx) -- C:\WINDOWS\system32\drivers\OA012Afx.sys (Creative Technology Ltd.)
DRV - (OA012Ufd) -- C:\WINDOWS\system32\drivers\OA012Ufd.sys (Creative Technology Ltd.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (BCMWLNPF) -- C:\WINDOWS\system32\drivers\BCMWLNPF.SYS (CACE Technologies)
DRV - (EMSC) -- C:\WINDOWS\system32\drivers\EMSC.sys (Windows ® Codename Longhorn DDK provider)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (SilverLink) Texas Instruments SilverLink (USB GraphLink) -- C:\WINDOWS\system32\drivers\SilvrLnk.sys (Texas Instruments Incorporated)
DRV - (TICalc) -- C:\WINDOWS\System32\drivers\Ticalc.sys ()


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://myneu.neu.edu/cp/home/loginf"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.18
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 63677
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@wolfram.com/Mathematica: C:\Program Files\Common Files\Wolfram Research\Browser\8.0.0.1802959\npmathplugin.dll (Wolfram Research, Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Walter\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Walter\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Walter\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Walter\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2011/07/25 23:05:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011/07/24 09:33:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 09:55:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/12 20:30:01 | 000,000,000 | ---D | M]

[2009/10/03 18:03:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Walter\Application Data\Mozilla\Extensions
[2009/10/03 18:03:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Walter\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2012/03/18 23:29:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Walter\Application Data\Mozilla\Firefox\Profiles\f2m0ib8d.default\extensions
[2012/01/10 23:15:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/18 09:55:58 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\WALTER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\F2M0IB8D.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2012/03/18 09:55:57 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 06:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/07/31 13:06:48 | 001,654,784 | ---- | M] (LizardTech) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll
[2006/10/26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/10/03 18:09:57 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/10/03 18:09:57 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/10/03 18:09:58 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/10/03 18:09:58 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/10/03 18:09:58 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/10/03 18:09:58 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/10/03 18:09:58 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/07/18 12:19:40 | 002,998,784 | ---- | M] (Tamarack Software, Inc.) -- C:\Program Files\mozilla firefox\plugins\nptgeqplugin.dll
[2011/10/25 18:34:59 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2011/10/25 18:34:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/25 18:34:59 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2011/10/25 18:34:59 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2011/11/08 22:53:52 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2011/10/25 18:34:59 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2011/10/25 18:34:59 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2011/07/22 09:00:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe (Compal Electronics, Inc)
O4 - HKLM..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter File not found
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Walter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{95CE6B49-773F-4AD0-87EB-1BD708ACF147}: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (%SystemRoot%\System32\dimsntfy.dll) - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Walter\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Walter\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 21:45:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/16 15:20:58 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Walter\Desktop\OTL.exe
[2012/04/15 21:08:11 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Walter\Desktop\aswMBR.exe
[2012/04/14 08:46:38 | 000,000,000 | --SD | C] -- C:\Comfix
[2012/04/12 21:43:30 | 004,460,173 | R--- | C] (Swearware) -- C:\Documents and Settings\Walter\Desktop\comfix.exe
[2012/04/11 22:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walter\My Documents\New Folder
[2012/04/04 21:38:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walter\Desktop\gmer
[2012/04/01 23:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/04/01 23:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Walter\Desktop\tdsskiller
[2012/04/01 22:48:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Walter\Recent
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/16 15:19:18 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Walter\Desktop\OTL.exe
[2012/04/16 14:49:12 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-37936691-3432283480-3667031437-1006UA.job
[2012/04/16 14:46:06 | 000,467,430 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/16 14:46:06 | 000,080,480 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/16 14:41:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/16 14:41:54 | 1063,682,048 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/15 20:37:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/15 10:25:18 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Walter\Desktop\aswMBR.exe
[2012/04/12 21:42:16 | 004,460,173 | R--- | M] (Swearware) -- C:\Documents and Settings\Walter\Desktop\comfix.exe
[2012/04/12 20:42:52 | 000,337,137 | ---- | M] () -- C:\Documents and Settings\Walter\Desktop\FSS.exe
[2012/04/11 19:49:02 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-37936691-3432283480-3667031437-1006Core.job
[2012/04/01 22:17:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/01 17:21:09 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnTr
[2012/04/01 17:21:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnT
[2012/04/01 17:20:18 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bfKtLhHXPKBcnT
[2012/03/20 18:30:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/16 14:41:54 | 1063,682,048 | -HS- | C] () -- C:\hiberfil.sys
[2012/04/12 20:43:38 | 000,337,137 | ---- | C] () -- C:\Documents and Settings\Walter\Desktop\FSS.exe
[2012/04/01 22:34:44 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Walter\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/04/01 22:17:49 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/01 17:21:09 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnTr
[2012/04/01 17:21:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnT
[2012/04/01 17:20:13 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bfKtLhHXPKBcnT
[2012/02/15 20:52:16 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/07/22 08:31:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/07/22 08:31:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/07/22 08:31:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/07/22 08:31:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/07/22 08:31:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/07/20 18:53:05 | 000,003,678 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\ru7144576uov5h04pf7f54uuemx0h6l7520
[2011/07/20 18:53:05 | 000,003,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ru7144576uov5h04pf7f54uuemx0h6l7520
[2011/07/20 18:53:00 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\Walter\Application Data\C58E.B34
[2011/07/13 13:49:48 | 000,015,136 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\b6bo46lu10ri1w645385mo7j0w0
[2011/07/13 13:49:48 | 000,015,136 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\b6bo46lu10ri1w645385mo7j0w0
[2011/06/26 17:40:26 | 000,015,678 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\448fqp1244v2itbh10ux24jwrf07
[2011/06/26 17:39:37 | 000,015,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\448fqp1244v2itbh10ux24jwrf07
[2011/06/26 17:39:37 | 000,001,478 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\448fqp1244v2itbh10ux24jwrf07
[2011/06/21 22:04:30 | 000,001,876 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\1.gif
[2011/06/21 22:04:30 | 000,000,011 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\ct_start
[2011/06/20 22:45:05 | 000,003,162 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\806292436
[2011/06/20 22:45:05 | 000,003,162 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4275444064
[2011/06/20 22:44:34 | 000,012,220 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\skf11o7g4tj6gv6hy1024k
[2011/06/20 22:44:34 | 000,008,252 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\806292436
[2011/06/20 22:44:28 | 000,014,012 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\skf11o7g4tj6gv6hy1024k
[2011/06/20 22:44:28 | 000,012,220 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\skf11o7g4tj6gv6hy1024k
[2010/04/21 19:42:35 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2011/10/22 14:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems
[2009/09/23 06:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2012/03/29 19:16:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soulseek
[2009/09/23 05:55:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista32
[2009/09/23 05:55:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista64
[2009/09/23 05:56:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XP32
[2009/10/03 18:11:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/11 10:10:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\CheckPoint
[2010/03/08 22:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\foobar2000
[2010/03/25 13:38:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Foxit
[2011/07/31 09:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Foxit Software
[2010/10/28 18:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Jaran Nilsen
[2010/04/18 21:43:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Nintendulator
[2010/11/21 17:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Teleca
[2009/10/01 22:08:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Template
[2012/04/01 22:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\uTorrent
[2009/09/23 05:47:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Windows Desktop Search
[2010/04/24 19:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Windows Live Writer
[2009/10/01 19:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Walter\Application Data\Windows Search
[2012/03/20 18:30:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========

< MD5 for: AGP440.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\I386\sp3.cab:AGP440.sys
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 08:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\AGP440.SYS
[2008/04/14 08:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\I386\sp3.cab:atapi.sys
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 08:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 08:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 08:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 08:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< End of report >

#25 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 16 April 2012 - 06:46 PM

We need to run an OTL Fix and hope this loosened the grip enough for us to follow up

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    DRV - (WDICA) -- File not found
    DRV - (PDRFRAME) -- File not found
    DRV - (PDRELI) -- File not found
    DRV - (PDFRAME) -- File not found
    DRV - (PDCOMP) -- File not found
    DRV - (PCIDump) -- File not found
    DRV - (lbrtfdc) -- File not found
    DRV - (Changer) -- File not found
    [2012/04/01 17:21:09 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnTr
    [2012/04/01 17:21:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnT
    [2012/04/01 17:20:18 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bfKtLhHXPKBcnT
    [2011/07/20 18:53:05 | 000,003,678 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\ru7144576uov5h04pf7f54uuemx0h6l7520
    [2011/07/20 18:53:05 | 000,003,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ru7144576uov5h04pf7f54uuemx0h6l7520
    [2011/07/13 13:49:48 | 000,015,136 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\b6bo46lu10ri1w645385mo7j0w0
    [2011/07/13 13:49:48 | 000,015,136 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\b6bo46lu10ri1w645385mo7j0w0
    [2011/06/26 17:40:26 | 000,015,678 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\448fqp1244v2itbh10ux24jwrf07
    [2011/06/26 17:39:37 | 000,015,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\448fqp1244v2itbh10ux24jwrf07
    [2011/06/26 17:39:37 | 000,001,478 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\448fqp1244v2itbh10ux24jwrf07
    [2011/06/20 22:45:05 | 000,003,162 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\806292436
    [2011/06/20 22:45:05 | 000,003,162 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4275444064
    [2011/06/20 22:44:34 | 000,012,220 | -HS- | C] () -- C:\Documents and Settings\Walter\Local Settings\Application Data\skf11o7g4tj6gv6hy1024k
    [2011/06/20 22:44:34 | 000,008,252 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\806292436
    [2011/06/20 22:44:28 | 000,014,012 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\skf11o7g4tj6gv6hy1024k
    [2011/06/20 22:44:28 | 000,012,220 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\skf11o7g4tj6gv6hy1024k
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Now attempt to run TDSSKiller straight after

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#26 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 April 2012 - 07:39 PM

========== OTL ==========
Service WDICA stopped successfully!
Service WDICA deleted successfully!
File File not found not found.
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
File File not found not found.
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
File File not found not found.
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
File File not found not found.
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
File File not found not found.
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
File File not found not found.
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
File File not found not found.
Service Changer stopped successfully!
Service Changer deleted successfully!
File File not found not found.
C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnTr moved successfully.
C:\Documents and Settings\All Users\Application Data\-bfKtLhHXPKBcnT moved successfully.
C:\Documents and Settings\All Users\Application Data\bfKtLhHXPKBcnT moved successfully.
C:\Documents and Settings\Walter\Local Settings\Application Data\ru7144576uov5h04pf7f54uuemx0h6l7520 moved successfully.
C:\Documents and Settings\All Users\Application Data\ru7144576uov5h04pf7f54uuemx0h6l7520 moved successfully.
C:\Documents and Settings\Walter\Local Settings\Application Data\b6bo46lu10ri1w645385mo7j0w0 moved successfully.
C:\Documents and Settings\All Users\Application Data\b6bo46lu10ri1w645385mo7j0w0 moved successfully.
C:\Documents and Settings\Walter\Local Settings\Application Data\448fqp1244v2itbh10ux24jwrf07 moved successfully.
C:\Documents and Settings\All Users\Application Data\448fqp1244v2itbh10ux24jwrf07 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\448fqp1244v2itbh10ux24jwrf07 moved successfully.
C:\Documents and Settings\Walter\Local Settings\Application Data\806292436 moved successfully.
C:\Documents and Settings\All Users\Application Data\4275444064 moved successfully.
C:\Documents and Settings\Walter\Local Settings\Application Data\skf11o7g4tj6gv6hy1024k moved successfully.
C:\Documents and Settings\All Users\Application Data\806292436 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\skf11o7g4tj6gv6hy1024k moved successfully.
C:\Documents and Settings\All Users\Application Data\skf11o7g4tj6gv6hy1024k moved successfully.

OTL by OldTimer - Version 3.2.39.2 log created on 04162012_202448

Edited by walltron3030, 16 April 2012 - 07:41 PM.


#27 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 April 2012 - 07:41 PM

20:30:26.0078 1508 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
20:30:26.0093 1508 ============================================================
20:30:26.0093 1508 Current date / time: 2012/04/16 20:30:26.0093
20:30:26.0093 1508 SystemInfo:
20:30:26.0093 1508
20:30:26.0093 1508 OS Version: 5.1.2600 ServicePack: 3.0
20:30:26.0093 1508 Product type: Workstation
20:30:26.0093 1508 ComputerName: D9VCNLK1
20:30:26.0093 1508 UserName: Walter
20:30:26.0093 1508 Windows directory: C:\WINDOWS
20:30:26.0093 1508 System windows directory: C:\WINDOWS
20:30:26.0093 1508 Processor architecture: Intel x86
20:30:26.0093 1508 Number of processors: 2
20:30:26.0093 1508 Page size: 0x1000
20:30:26.0093 1508 Boot type: Normal boot
20:30:26.0093 1508 ============================================================
20:30:28.0359 1508 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:30:28.0375 1508 Drive \Device\Harddisk1\DR4 - Size: 0x77E00000 (1.87 Gb), SectorSize: 0x200, Cylinders: 0xF4, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:30:28.0375 1508 \Device\Harddisk0\DR0:
20:30:28.0375 1508 MBR used
20:30:28.0375 1508 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x129F1737
20:30:28.0375 1508 \Device\Harddisk1\DR4:
20:30:28.0375 1508 MBR used
20:30:28.0375 1508 \Device\Harddisk1\DR4\Partition0: MBR, Type 0x6, StartLBA 0xF8, BlocksNum 0x3BEF08
20:30:28.0421 1508 Initialize success
20:30:28.0421 1508 ============================================================
20:31:10.0750 1456 Deinitialize success

#28 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 17 April 2012 - 04:21 PM

That's not a log that you should usually get. Please run FixTDSS

I would like you to run this tool for me - fixTDSS

Download it to your desktop and start the program

Follow the prompts and OK any security prompts

When it is complete it will say the infection was cleared or no infection was found - let me know what it says
Posted Image
m0le is a proud member of UNITE

#29 walltron3030

walltron3030
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 17 April 2012 - 07:33 PM

It said Backdoor.Tidserv was cleaned from my computer.

#30 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:55 PM

Posted 18 April 2012 - 05:32 PM

Thought so. Can you now run TDSSKiller again
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users