Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Content.IE5 growing in size with unknown junk


  • This topic is locked This topic is locked
8 replies to this topic

#1 AKMAN2011

AKMAN2011

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 30 November 2012 - 11:10 PM

I tried opening an excel file that has always worked before and got some corrupt file message. Tried another one. And another. This is on a USB WDD hard drive. I tried a file on the C drive same thing. Couldn't create a new one and save. Can't open Windows Firewall. Got a low disk space warning. SUre enough, C:/Documents and Settings/NetworkService/Temporary Internet Files/Content.IE5 is filling up with folders and junk in real time. These are not files that I have ever ever downloaded, seen, etc. It's like there is some background process that is downloading junk even when IE is closed. Because it is happening in real time and it is content that I have never seen, I think it is viral in nature. I know its not just a matter of never clearing out the temp folder. Tried doing rmdir /S and it works for some, but others say process is being used and won't let me delete. In any case, new ones are being opened and filling up.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Daniel Wetherall at 18:55:55 on 2012-11-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.365 [GMT -9:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: dsWebAllowBHO Class: {2F85D76C-0569-466F-A488-493E6BD0E955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - <orphaned>
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.napster.com/client/isetup.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
TCP: NameServer = 209.165.131.12 209.165.131.13
TCP: Interfaces\{1FAD372E-9F27-43DF-9456-891AA8A66C64} : DHCPNameServer = 209.165.131.12 209.165.131.13
TCP: Interfaces\{B7041A0D-15FC-497D-BE08-BF45F3E7840B} : DHCPNameServer = 209.165.131.12 209.165.131.13
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-12-12 238592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-12-12 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-12-12 484352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\drivers\camdrv41.sys [2009-12-13 1239552]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-12-11 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
.
=============== Created Last 30 ================
.
2012-11-30 07:34:48 -------- d-----w- c:\documents and settings\daniel wetherall\local settings\application data\Coupon Companion
2012-11-30 07:34:31 -------- d-----w- c:\program files\Coupon Companion
.
==================== Find3M ====================
.
2012-11-27 10:18:24 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-27 10:18:24 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 18:58:06.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:17 AM

Posted 04 December 2012 - 05:21 PM

Hello :)

Posted Image From Add/Remove Programs (via Control Panel), please uninstall the below:
  • Coupon Companion
  • Driver Detective
  • Java™ 7 Update 5 (outdated!)

__

Regarding these types of folders (example): C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\7CP7EAYN

Do not think you can prevent Internet Explorer from creating these unless you simply stop using Internet Explorer. Maybe you'd like to try out: Mozilla FireFox?

I see that you have CCleaner installed. You can continue to use CCleaner to empty the files from these types of folders but as you have already noticed, new folders will be created.

My recommendation would be to go into Internet Properties and reduce the amount of temporary internet files that can be accumulated by doing the following:

  • Press and hold the Windows key Posted Image and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • inetcpl.cpl
  • Now press ENTER
  • Go to the General tab
  • Under "Browsing history", place a checkmark in "Delete browsing history on exit"
  • Now click the "Settings" button which is in the same area
  • A new window with "Temporary Internet Files and History Settings" should appear.
  • Look where it says "Disk space to use" and put the number "8" in the text-field.
  • Click OK twice to exit Internet Properties and to save the changes.

__

Use WinDirStat to find out what is truly eating up your hard drive space. You do not have much to begin with (40GB) but this can help you understand what is accumulating the most space. Just be careful on what you delete :)

__

Please download Malwarebytes Anti-Rootkit Posted Image and save it to your desktop.
  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

__

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Edited by thisisu, 04 December 2012 - 05:24 PM.


#3 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 05 December 2012 - 05:29 PM

Coupon Companion and Java 7 Update 5 both uninstalled fine. Driver Detective however said it failed to completely uninstall. It removed from Add/Remove programs. After all the other steps and reboots, it still is not showing up in add/remove so I think it is gone.

I had run a different disk space tool originally and that is how I knew Content.IE5 was the culprit taking up 50% of the 40G. Of note, I hit the wrong download button after following your windirstat link. It's a little confusing as there is a download link right above for 7-zip. I ended up installing the 7-zip tool. It looks like it might have installed a bunch of crud from yahoo.

I realize IE will create folders in Content.IE5 under normal circumstances. However, the folders and content that were being created were independant of IE webpages I was visiting. For example, with IE open but home page set to about:blank it still created folders and downloaded content. IE should not have made a call to the internet without an outside IP address to go to. Yet content was still being downloaded without even going to a page. Just with IE open. This normally doesn't happen. I should also note that setting the size of that folder option to 8MB did not stop this malware from writing to that folder above and beyond that 8MB limit. It had written 167MB to that folder so far even with that setting.

I ran malware bytes once, cleaned, it rebooted, and windows came back up saying a program was still running (malware bytes). But there was no window open. I reran MB went to sleep and checked in the morning. The MB program was closed. I was expecting an open window saying scan complete or whatever with the option of hitting the clean button. So I am not sure exactly what happened; if it found nothing so exited, or ran, cleaned, and rebooted automatically. I'm attaching the logs as I find them. Let me know if I should run it again or not. Also, Windows Firewall says Due to an unidentified problem, Windows is unable to display Windows Firewall Settings. This problem was there before running MB but only after I believe the machine got infected. Do you want me to run MB Fix program?

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.12.05.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Daniel Wetherall :: DAN [administrator]

12/5/2012 12:59:59 AM
mbar-log-2012-12-05 (00-59-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27687
Time elapsed: 1 hour(s), 30 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Trojan.0Access) -> Delete on reboot. [aa518950c09d16201b2587410bf5f20e]
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot. [6a919841530a1e180fbfdc24718ffe02]
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Delete on reboot. [7f7c80592c31270fc0139ce3ed1637c9]

Registry Values Detected: 1
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 314a0401a1133fb2e0fb9c022b836fdd -> Delete on reboot. [7f7c80592c31270fc0139ce3ed1637c9]

Registry Data Items Detected: 3
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\n.) Good: (fastprox.dll) -> Delete on reboot. [4ab111c8cc911125c09743f38b796e92]
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Hijack.Trojan.Siredef.C) -> Bad: (C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\n.) Good: (%systemroot%\system32\wbem\fastprox.dll) -> Delete on reboot. [95665386afae1323c711768a669a7b85]
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\n.) Good: (shell32.dll) -> Delete on reboot. [a8533c9db3aa9d99f38e9a9cfc08e11f]

Folders Detected: 10
C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\L (Backdoor.0Access) -> Delete on reboot. [8d6e2eabe6771c1a663430d028d80000]
C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U (Backdoor.0Access) -> Delete on reboot. [3cbf7168a9b40135415a8c74ce3250b0]
C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\U (Backdoor.0Access) -> Delete on reboot. [41bae7f284d91d190896a15ff9075da3]
C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\L (Backdoor.0Access) -> Delete on reboot. [5f9cdffab3aae650653a817f629ead53]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U (Trojan.Siredef.C) -> Delete on reboot. [14e734a51d407abcb4fe24dc639d946c]
C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\U (Trojan.Siredef.C) -> Delete on reboot. [fa011dbcc39a350105ad44bcef11e020]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\L (Trojan.Siredef.C) -> Delete on reboot. [a952a9302c3123132b89c53bec1424dc]
C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\L (Trojan.Siredef.C) -> Delete on reboot. [ea11528762fbea4c486caa56c43c728e]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892 (Trojan.Siredef.C) -> Delete on reboot. [be3dd108c697b086189d34cc6a960af6]
C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892 (Trojan.Siredef.C) -> Delete on reboot. [718a7564fe5f49eddbdae21ee11f7c84]

Files Detected: 8
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\@ (Trojan.Siredef.C) -> Delete on reboot. [fcffe8f196c732045659827e4ab629d7]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\n (Trojan.0Access) -> Delete on reboot. [5f9cdffa2c3145f149f7587099672ad6]
C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\@ (Trojan.Siredef.C) -> Delete on reboot. [fefde7f2d885092de1ceb24e36cad62a]
C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\n (Trojan.0Access) -> Delete on reboot. [aa518950c09d16201b2587410bf5f20e]
C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\@ (Backdoor.0Access) -> Delete on reboot. [3ebdaf2a540980b6030d37c94db3f60a]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U\00000001.@ (Trojan.0Access) -> Delete on reboot. [57a410c999c496a084ba992fb9479b65]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U\80000000.@ (Trojan.0Access) -> Delete on reboot. [84778554d28b91a5ca74c0083dc35fa1]
C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U\800000cb.@ (Trojan.0Access) -> Delete on reboot. [4ead39a0ff5e94a2a797b117a15f25db]

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 2.392000 GHz
Memory total: 1071648768, free: 658997248

------------ Kernel report ------------
12/04/2012 23:26:33
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
drvmcdb.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\wanatw4.sys
\SystemRoot\System32\DRIVERS\ialmnt5.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\System32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\BCMSM.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\DRIVERS\bcm4sbxp.sys
\SystemRoot\System32\Drivers\cdrbsdrv.SYS
\SystemRoot\system32\drivers\sscdbhk5.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\omci.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\flpydisk.sys
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\drivers\ssrtln.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\System32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\wdcsam.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\Udfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\drvnddm.sys
\SystemRoot\system32\dla\tfsndres.sys
\SystemRoot\system32\dla\tfsnifs.sys
\SystemRoot\system32\dla\tfsnopio.sys
\SystemRoot\system32\dla\tfsnpool.sys
\SystemRoot\system32\dla\tfsnboio.sys
\SystemRoot\system32\dla\tfsncofs.sys
\SystemRoot\system32\dla\tfsndrct.sys
\SystemRoot\system32\dla\tfsnudf.sys
\SystemRoot\system32\dla\tfsnudfa.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\dsunidrv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\SYSTEM32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff8727fab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000054\
Lower Device Object: 0xffffffff86ff4508
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff873c9ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff873d0d98
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.05.04
Downloaded database version: v2012.12.03.01
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff873c9ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff873d1908, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff873c9ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff873d0d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe2565e08, 0xffffffff873c9ab8, 0xffffffff8621c370
Lower DeviceData: 0xffffffffe1caacc0, 0xffffffff873d0d98, 0xffffffff869d4070
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Read File: File "C:\WINDOWS\system32\drivers\vch.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\MCD.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mdmxsdk.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\OPRGHDLR.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\bsaspi32.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cdrbsvsd.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\CINEMST2.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\CPQDAP01.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\RIODRV.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ROOTMDM.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\s3gnbm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\slnt7554.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\slntamr.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\slnthal.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\slwdmsup.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\SMCLIB.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atintuxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\cxthsfs2.cty" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mtxparhm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\NWLNKSPX.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\RIO8DRV.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\TSBVCAP.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\VDMINDVD.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mtlmnt5.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\mtlstrm.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1btxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1mdxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1pdxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1raxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1rvxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1snxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1ttxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1tuxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1xbxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati1xsxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati2mtaa.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ati2mtag.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinbtxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinmdxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinpdxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinraxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinrvxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinsnxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinttxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\FSVGA.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\GMREADME.TXT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hsfbs2s2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hsfcxts2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\hsfdpsp2.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\1028_Dell_DIM_DIM2400.mrk" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a302.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a303.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a304.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a305.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a306.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a307.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a308.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a309.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a310.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a311.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a313.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\a314.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wa301a.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wa301b.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wadv07nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wadv08nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wadv09nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\wadv11nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\watv06nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\watv10nt.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\WS2IFSL.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\netwlan5.img" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\NIKEDRV.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ntmtlfax.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\NWLNKNB.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinxbxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\atinxsxx.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ativmc20.cod" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ATMEPVC.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\ATMUNI.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\BCMDM.sys" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\TOSDVD.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\RAWWAN.SYS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\system32\drivers\recagent.sys" is compressed (flags = 1)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 9DC96E9E

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 64197

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 64260 Numsec = 80212545
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 41110142976 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-80273248-80293248)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8727fab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86ff5d10, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8727fab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86ff4508, DeviceName: \Device\00000054\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xffffffffe40d2420, 0xffffffff8727fab8, 0xffffffff86226738
Lower DeviceData: 0xffffffffe2648b40, 0xffffffff86ff4508, 0xffffffff86248848
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 42ADA

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 1953456128

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000170586112 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\Documents and Settings\All Users\Application Data\Enhance Tuning" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\mcini.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\cdplayer.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Real\Update\AllInstProds" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Real\Update\LastAUCheck" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\529C53698E29497100000A5FD151FC84\529C53698E29497100000A5FD151FC84" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\Photoshop Album\PSASE.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\Updater5\AdobeESDGlobalApps.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Cocoa\Extensions" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\EnterNHelp\hxek.xxb" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\EnterNHelp\hxeq.xxb" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\FullAudio\1221f0a" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Google Updater\service_error_info" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Google Updater\icons\images_acrobat.gif" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Google Updater\icons\images_imm.gif" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Google Updater\icons\images_picasa.gif" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Google Updater\icons\images_sd.gif" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Google Updater\icons\images_toolbar.gif" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\GTek\gtny\counter.cfg" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\GTek\gtny\gtuser.cfg" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks\QBINSTANCEFINDER17.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks 2007\UserDictionary.tlx" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\McAfee\MSC\mcini.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Microsoft\Machine Debug Manager\mdm.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\MSN6\au.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\bin\BurnData.bin" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\bin\db2.bin" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\bin\kidcache.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\bin\lastdb2.bin" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\bin\StoreLicense.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\bin\Thumbnaildb.bin" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Napster\image\listbk.bmp" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Norton Installer\logs\url.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters\Driver Detective\dd.lic" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\SBSI\ORUN\bookmrk.dbf" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Grpsyll.dbf" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Progress.dbf" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Settings.dbf" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Syllabus.dbf" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\SiteAdvisor\guid.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Skype\Plugins\_nsStore.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Skype\Plugins\_sstore.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Ultima_T15\reg_configdu.stn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Ultima_T15\reg_configea.stn" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\HostRegistry.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\All Users\Application Data\YAHOO\YMP\YMJSysConfig.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Effects" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Move Networks\MNStatsID.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Move Networks\QMStatusFile.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Move Networks\QMStatusFile_v2.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Move Networks\temp\MNAM_win.mft" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Nikon\PictureProject In Touch\UserInfo.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Norton Utilities\Health\ID_REGCOMPACT.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Real\mid_log.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Real\Msg\Category.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Real\Msg\SCategory.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Real\RealMediaSDK\c0a80100.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Real\RealPlayer\viz.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Symantec\Shared\Options.VcPref" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\WinPatrol\HOSTS" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\HpUpdate\HpUpdate.Cache" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Image Zone Express\assets.yos" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Image Zone Express\layouts.db" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Image Zone Express\thumbnailSel.db" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Intuit\QuickBooks Product Listing Service\config.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Intuit\QuickBooks Product Listing Service\QuickBooks Connector.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Microsoft\Media Player\0004396B.wpl" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Microsoft\Office\OIS11.pip" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Microsoft\Office\VB11.pip" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Google\Local Search History\google%2Evideo.w" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\Media Player\1F0A5412.wpl" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\Media Player\OfflineUpdates.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\Office\OIS11.pip" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\Proof\CUSTOM.DIC" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Microsoft\Templates\~$Normal.dot" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Move Networks\MNStatsID.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Move Networks\QMStatusFile.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Move Networks\QMStatusFile_v2.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\Move Networks\temp\MNAM_win.mft" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Application Data\MSN6\au.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Application Data\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\BRNDLOG.BAK" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Application Data\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\BRNDLOG.BAK" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Application Data\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Application Data\Microsoft\Internet Explorer\BRNDLOG.BAK" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Application Data\Windows Desktop Search\WindowsDesktopShortcuts.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\BRNDLOG.BAK" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
Read File: File "C:\Program Files\Outlook Express\MSOE.TXT" is compressed (flags = 1)
Read File: File "C:\Program Files\Windows Media Player\NPDRMV2.ZIP" is compressed (flags = 1)
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\@ --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\n --> [Trojan.0Access]
Infected: C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\@ --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\n --> [Trojan.0Access]
Infected: HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Trojan.0Access]
Read File: File "C:\Documents and Settings\Guest\Start Menu\Programs\Startup\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Start Menu\Programs\Startup\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CMOS.RAM" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\$NCSP$.INF" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\mcini.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\PCL.SEP" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\BurnData.bin" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\DSOUND.VXD" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\PSCRIPT.SEP" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\spupdwxp.log" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\BDEMERGE.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\PERFWCI.H" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\View Channels.scf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\LuResult.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\L_EXCEPT.NLS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\PRODSPEC.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\PERFCI.H" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\PERFFILT.H" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\MPFServiceFailureCount.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\NETWORKS" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\OOBE\msobe.isp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\OOBE\obeip.dun" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\OOBE\oobeinfo.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\OOBE\REG.ISP" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\OOBE\migip.dun" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\OOBE\MIGRATE.ISP" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\014YUN9Q\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\0L8P0FQF\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\RFL1X5NP\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\ZN5I6YFE\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\.JarClassLoader" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\LuResult.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\NTUSER.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\NTUSER.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\NTUSER.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\NTUSER.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\NTUSER.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\NTUSER.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1)
Read File: File "C:\WINDOWS\smscfg.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\spupdsvc.log.1.log" is compressed (flags = 1)
Read File: File "C:\WINDOWS\scrub2k.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SETUPERR.LOG" is compressed (flags = 1)
Read File: File "C:\WINDOWS\EDITCOST.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\EXPLORER.SCF" is compressed (flags = 1)
Read File: File "C:\WINDOWS\msoffice.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\nsreg.dat" is compressed (flags = 1)
Read File: File "C:\WINDOWS\wininit.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\AKWARM.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\cmsetacl.log" is compressed (flags = 1)
Read File: File "C:\WINDOWS\iPlayer.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\ODBC.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\OOBEACT.LOG" is compressed (flags = 1)
Read File: File "C:\WINDOWS\VB.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\nsw.log" is compressed (flags = 1)
Read File: File "C:\WINDOWS\VBADDIN.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Common.Logging\1.2.0.0__af08829b84f0328e\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Interop.QBFC5\5.0.203.0__31d8aec643e18259\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Interop.QBXMLRP2\5.0.203.0__31d8aec643e18259\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\mscorcfg\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.SmartTag\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Graph\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Debug\mrt.log.old" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\swdir.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Downloaded Program Files\swflash.inf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Fonts\wfonts.key" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Fonts\wfontsbpm.key" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\WINDOWS.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\WINHLP32.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\CIADMIN.HTM" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\CONF.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\CONNECT.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\MSHEARTS.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\MSNAUTH.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\NOCONTNT.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\RATINGS.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Help\UPDATE.CNT" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.rtm.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet.mof.uninstall" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\caspol.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cvtres.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ieexec.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\jsc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_except.nlp" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\XPThemes.manifest" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\SetupENU1.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\SetupENU2.txt" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ASP.NETClientFiles\SmartNav.htm" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state_perf.h" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInUtil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\default.win32manifest" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\EdmGen.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\applaunch.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\caspol.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\default.win32manifest" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\jsc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regasm.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\vbc.exe.config" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\XPThemes.manifest" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM\VSVBX.LIC" is compressed (flags = 1)
Read File: File "C:\WINDOWS\Web\BULLET.GIF" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\IM\Skin.ucd" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Powercinema\Dell_UserName.sys" is compressed (flags = 1)
Infected: C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\@ --> [Backdoor.0Access]
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\History\History.IE5\INDEX.DAT" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\IM\Skin.ucd" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Powercinema\Dell_UserName.sys" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Default User\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\DESKTOP.INI" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Adobe\Updater5\AdobeUpdaterPrefs.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Adobe\Updater6\bobcache.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Adobe\Updater6\bobcache.sig" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-1.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-2.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-3.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-4.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Dell\SolutionCenter\4-expander.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Dell\SolutionCenter\4-leftBorder.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Google\Picasa2Albums\watchedfolders.txt" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\IM\Skin.ucd" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\Powercinema\Dell_UserName.sys" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Adobe\Updater5\AdobeUpdaterPrefs.dat" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-1.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-2.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-3.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Dell\SolutionCenter\3-top-4.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Dell\SolutionCenter\4-expander.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Dell\SolutionCenter\4-leftBorder.html" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\IM\Skin.ucd" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Microsoft\OIS\OIScatalog.cag" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Darrell Wetherall\Local Settings\Application Data\Powercinema\Dell_UserName.sys" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\Application Data\Google\GBScreensaver\network.log" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Portable Devices\wpdlog00.sqm" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Portable Devices\wpdlog01.sqm" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Portable Devices\wpdlog02.sqm" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\Application Data\Google\Toolbar Bookmarks\_bookmarks" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
Read File: File "C:\Documents and Settings\Lois Wetherall\Local Settings\Application Data\Western Digital\WD SmartWare\WD SmartWare(WDDMStatus).txt" is compressed (flags = 1)
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U\00000001.@ --> [Trojan.0Access]
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U\80000000.@ --> [Trojan.0Access]
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U\800000cb.@ --> [Trojan.0Access]
Read File: File "C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB826939$\itss.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB839645$\shell32.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB839645$\sxs.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB824141$\user32.dll" is compressed (flags = 1)
Read File: File "C:\WINDOWS\$NtUninstallKB824141$\win32k.sys" is compressed (flags = 1)
Infected: HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]
Infected: HKCU\Software\Crossrider|215AppVerifier --> [Adware.GamePlayLab]
Infected: HKCU\SOFTWARE\CROSSRIDER --> [Adware.GamePlayLab]
Infected: C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\L --> [Backdoor.0Access]
Infected: C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\U --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\L --> [Backdoor.0Access]
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\U --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\U --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892\L --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892\L --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-18\$fce2e3242357c92140df863d6e732892 --> [Trojan.Siredef.C]
Infected: C:\RECYCLER\S-1-5-21-2425240458-456833205-2956304666-1008\$fce2e3242357c92140df863d6e732892 --> [Trojan.Siredef.C]
Infected: HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| --> [Trojan.0Access]
Infected: HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| --> [Hijack.Trojan.Siredef.C]
Infected: HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| --> [Trojan.0Access]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.392000 GHz
Memory total: 1071648768, free: 749215744

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.8.6 (12.05.2012:2)
OS: Microsoft Windows XP x86
Ran by Daniel Wetherall on Wed 12/05/2012 at 12:54:01.53
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\conduit"
Successfully deleted: [Registry Key] "hkey_current_user\software\billp studios\detected\startup"
Successfully deleted: [Registry Key] "hkey_current_user\software\conduit"
Successfully deleted: [Registry Key] "hkey_current_user\software\cr_installer"
Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"
Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"
Successfully deleted: [Registry Key] "hkey_local_machine\software\metastream"
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{95b7759c-8c7f-4bf1-b163-73684a933233}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\installmate"
Successfully deleted: [Folder] "C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\conduit"
Successfully deleted: [Folder] "C:\Program Files\conduit"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 12/05/2012 at 13:02:12.99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by AKMAN2011, 05 December 2012 - 05:33 PM.


#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:17 AM

Posted 05 December 2012 - 05:57 PM

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had

__

Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run.
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • Please post the contents of the latest numbered RKreport.txt from your desktop to your next post.


#5 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 06 December 2012 - 02:25 AM

Only thing of interest is that Combofix seemed to think that Norton Internet Security was still installed or running. It used to be but was causing the computer to run so slow it was uninstalled. There must be some remnant that CF still is seeing. It seemed to run fine.

ComboFix 12-12-04.01 - Daniel Wetherall 12/05/2012 17:17:32.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -9:00]
Running from: c:\documents and settings\Daniel Wetherall\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Daniel Wetherall\Application Data\1F6600
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-11-06 to 2012-12-06 )))))))))))))))))))))))))))))))
.
.
2012-12-05 22:34 . 2012-12-05 22:34 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-05 21:53 . 2012-12-05 21:53 -------- d-----w- c:\windows\ERUNT
2012-12-05 21:53 . 2012-12-05 21:53 -------- d-----w- C:\JRT
2012-12-05 08:09 . 2012-12-05 08:09 -------- d-----w- c:\program files\WinDirStat
2012-12-05 08:01 . 2012-12-05 08:01 -------- d-----w- c:\program files\7-zip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-27 10:18 . 2012-04-12 15:46 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-27 10:18 . 2011-05-23 04:44 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-04 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Z1"="c:\documents and settings\Daniel Wetherall\Desktop\mbar-1.01.0.1009\mbar\mbar.exe" [2012-12-05 1341800]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [12/12/2011 12:24 AM 238592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [12/12/2011 12:24 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [12/12/2011 12:25 AM 484352]
R3 mbamchameleon;mbamchameleon;c:\windows\SYSTEM32\DRIVERS\mbamchameleon.sys [12/5/2012 1:34 PM 35144]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [12/11/2011 7:20 PM 11520]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\SYSTEM32\DRIVERS\camdrv41.sys [12/13/2009 11:47 PM 1239552]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMCHAMELEON
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 10:18]
.
2012-12-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 20:20]
.
2012-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 21:40]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-12-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-12-05 c:\windows\Tasks\User_Feed_Synchronization-{AAC5E664-32BC-4EF2-941E-1ED90989F9D4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 13:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-{007811BF-E310-4285-BFC6-55DB29B3EDDE} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{00781~1\Setup.exe
AddRemove-Draw 4 App - c:\windows\system32\javaws.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-05 17:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2425240458-456833205-2956304666-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2012-12-05 17:49:28
ComboFix-quarantined-files.txt 2012-12-06 02:49
.
Pre-Run: 15,899,492,352 bytes free
Post-Run: 16,225,558,528 bytes free
.
- - End Of File - - 1FFA66F5E1C1F2B3A59B0F681B4B6A72

RogueKiller V8.3.1 [Dec 5 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Daniel Wetherall [Admin rights]
Mode : Remove -- Date : 12/05/2012 22:17:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\RunOnce : Z1 (C:\Documents and Settings\Daniel Wetherall\Desktop\mbar-1.01.0.1009\mbar\mbar.exe /cleanup /s) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[122] : NtOpenProcess @ 0x80574B29 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB80A0C4C)
SSDT[128] : NtOpenThread @ 0x80590C64 -> HOOKED (\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys @ 0xB80A0D3C)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Maxtor 6E040L0 +++++
--- User ---
[MBR] 84a6e417466e6d3869fcef9f55122705
[BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 39166 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_12052012_02d2217.txt >>
RKreport[1]_S_12052012_02d2217.txt ; RKreport[2]_D_12052012_02d2217.txt

#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:17 AM

Posted 06 December 2012 - 02:48 AM

Posted Image Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded just a while ago is on your desktop. If it is not on the desktop, the below will not work.
Shut down your protection software now to avoid potential conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:
KillAll::
SecCenter::
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
ClearJavaCache::
NoMBR::
RegNull::
[HKEY_USERS\S-1-5-21-2425240458-456833205-2956304666-1008\Software\Microsoft\SystemCertificates\AddressBook*]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
Posted Image
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach or post the contents of this log to your next message.

Edited by thisisu, 06 December 2012 - 02:49 AM.


#7 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 07 December 2012 - 05:21 AM

ComboFix 12-12-04.01 - Daniel Wetherall 12/06/2012 7:59.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.653 [GMT -9:00]
Running from: c:\documents and settings\Daniel Wetherall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel Wetherall\Desktop\CFScript.txt.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))
.
.
2012-12-07 05:49 . 2012-12-07 05:49 -------- d-----w- c:\windows\LastGood
2012-12-05 22:34 . 2012-12-05 22:34 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-05 21:53 . 2012-12-05 21:53 -------- d-----w- c:\windows\ERUNT
2012-12-05 21:53 . 2012-12-05 21:53 -------- d-----w- C:\JRT
2012-12-05 08:09 . 2012-12-05 08:09 -------- d-----w- c:\program files\WinDirStat
2012-12-05 08:01 . 2012-12-05 08:01 -------- d-----w- c:\program files\7-zip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-27 10:18 . 2012-04-12 15:46 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-27 10:18 . 2011-05-23 04:44 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-04 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [12/12/2011 12:24 AM 238592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [12/12/2011 12:24 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [12/12/2011 12:25 AM 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [12/11/2011 7:20 PM 11520]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\SYSTEM32\DRIVERS\camdrv41.sys [12/13/2009 11:47 PM 1239552]
S3 mbamchameleon;mbamchameleon;c:\windows\SYSTEM32\DRIVERS\mbamchameleon.sys [12/5/2012 1:34 PM 35144]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 10:18]
.
2012-12-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 20:20]
.
2012-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 21:40]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-07 19:39]
.
2012-12-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2425240458-456833205-2956304666-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-30 01:02]
.
2012-12-07 c:\windows\Tasks\User_Feed_Synchronization-{AAC5E664-32BC-4EF2-941E-1ED90989F9D4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 13:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?28860ac5a7a4b3488f182ae63de3b
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?28860ac5a7a4b3488f182ae63de3b
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-06 22:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2425240458-456833205-2956304666-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2012-12-06 22:20:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-07 07:20
ComboFix2.txt 2012-12-06 02:49
.
Pre-Run: 16,181,874,688 bytes free
Post-Run: 16,092,606,464 bytes free
.
- - End Of File - - 137E70CD555E20EEA85E9AD760EB75AF

#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:17 AM

Posted 07 December 2012 - 02:43 PM

Your system appears to be clean :)
If you are not experiencing any other malware related issues, it is time to do our final steps:

  • Any programs we had you download and/or install can be removed at this time.
  • If we had you create or download any custom fixes, these can be deleted at this time.
  • If we had you download and run ComboFix, here is how to uninstall it:
    • Press and hold the Windows key Posted Image and then press the letter R on your keyboard.
    • This opens the Run dialog box.
    • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
    • Now press ENTER
    • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
  • If we had you use DeFogger and press Disable, you can press the Enable button now.

Flush your System Restore points:
We should flush out your old, potentially infected System Restore points and create a new, clean restore point.
  • Follow these instructions:
  • Open OTL
  • Copy and paste the following code into the Posted Image text-field.
    :commands
    [clearallrestorepoints]
    
  • Now click the Posted Image button and follow the rest of the prompts.

Remove traces of our tools:
  • Follow these instructions:
  • Open OTL.
  • Click the Clean Up button.
  • Follow the prompts and reboot.


Recommendations:
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it every week or so and enable all protection again.
Be safe :)

#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:17 AM

Posted 07 December 2012 - 02:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users