Trojan.Win32.Sasfis.tow AND Google redirect [Solved] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Trojan.Win32.Sasfis.tow AND Google redirect [Solved] Fixed Trojan.Win32.Sasfis.tow problem but can't get rid of Google

#1 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 03 November 2009 - 02:15 PM

Hi,

I found this site after realising my Kaspersky Virus checker couldn't deal with the Trojan.w32,Sasfis.tow infection. It blocked it from accessing the web, but couldn't locate or irradiate it.

I followed the instructions in the Malware-Spyware-Cleaning-Guide, ran TFC, System Restore, ERUNT and MBAM.

This seemed to do the trick and it booted out the Trojan AND found several more I wasn't aware of...

I then ran Kaspersky, which seemed also to indicate that the system was now clean. :)

But...

On googling I am getting re-directed to spurious advertising pages. Neither Kaspersky or MBAD can help with this, they consider the system to be malware free. :)

I suspect all of these infections may have arrived together, not sure how. Kaspersky's virus page seemed unable to assist at all.

I decided to try and continue with the procedure, but rootrepeal failed after about 10 minutes of running.

It wrote the following crash report:

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000094
Exception Address: 0x004eca19

I then ran OTL, which also threw up several exceptions, but eventually completed after hitting ‘retry’ a few times.

OTL logfile created on: 03/11/2009 19:48:24 - Run 1
OTL by OldTimer - Version 3.1.3.3 Folder = C:\Documents and Settings\Steven\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.48 Mb Total Physical Memory | 622.59 Mb Available Physical Memory | 60.83% Memory free
2.40 Gb Paging File | 2.02 Gb Available in Paging File | 84.08% Paging File free
Paging file location(s): C:\pagefile.sys 1534 1534 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.86 Gb Total Space | 6.87 Gb Free Space | 3.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111.79 Gb Total Space | 56.77 Gb Free Space | 50.78% Space Free | Partition Type: NTFS
Drive F: | 62.61 Mb Total Space | 60.67 Mb Free Space | 96.90% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADVENT-2005
Current User Name: Steven
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/03 19:13:04 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/11/11 20:47:38 | 02,356,088 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/18 00:43:32 | 00,227,856 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
PRC - [2007/12/18 00:43:32 | 00,227,856 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
PRC - [2007/09/24 06:15:42 | 01,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2007/07/09 17:46:50 | 00,106,496 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2006/10/05 22:11:34 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2006/01/02 15:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2006/01/02 15:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2004/05/12 15:23:42 | 00,335,872 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\sistray.exe
PRC - [2003/08/27 13:20:00 | 00,094,208 | R--- | M] (Cypress Semiconductor) -- C:\WINDOWS\SM1bg.exe
PRC - [2002/11/26 15:05:04 | 00,077,824 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\PGPsdkServ.exe
PRC - [1996/11/21 00:00:00 | 00,333,824 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
PRC - [1996/11/21 00:00:00 | 00,051,984 | R--- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/03 19:13:04 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
MOD - [2008/07/25 10:17:20 | 00,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/04/14 00:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 00:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2007/12/18 00:44:58 | 00,088,592 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
MOD - [2007/12/18 00:44:52 | 00,048,656 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
MOD - [2007/12/18 00:44:42 | 00,084,496 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll
MOD - [2002/08/29 12:00:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\serwvdrv.dll
MOD - [2002/08/29 12:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\umdmxfrm.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (LiveUpdate)
SRV - File not found -- -- (Automatic LiveUpdate Scheduler)
SRV - [2009/03/09 04:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/01/07 17:21:00 | 00,026,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/14 00:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/12/18 00:43:32 | 00,227,856 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe -- (AVP)
SRV - [2007/09/24 06:15:42 | 01,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2007/07/10 08:18:14 | 00,501,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/07/09 17:46:50 | 00,106,496 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2006/10/05 22:11:34 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/05/03 16:43:46 | 00,413,696 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2006/05/03 10:57:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/02/29 13:20:20 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2002/11/26 15:05:04 | 00,077,824 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\PGPsdkServ.exe -- (PGPsdkServ)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official"
FF - prefs.js..network.proxy.autoconfig_url: "file:///C:/Documents%20and%20Settings/Steven/My%20Documents/My%20Music/Temp/Tunebite/.downloading/profile/rrproxy_ffox_4a9e76c6.pac"
FF - prefs.js..network.proxy.type: 2

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/18 13:52:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\tunebite-firefox-surf-and-catch-extension@audials.com: C:\Program Files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\ [2009/07/15 07:37:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/07 18:49:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2008/08/26 07:47:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/02/06 08:17:44 | 00,000,000 | ---D | M]

[2009/10/09 11:18:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions
[2009/10/09 11:18:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/10/15 08:47:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2007/07/24 12:00:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\{cc265d3d-3f6f-0170-a78b-bbbaef7a868c}
[2007/07/24 12:27:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/10/09 11:28:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2009/10/09 11:18:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\staged-xpis
[2008/08/26 07:48:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\unplug@compunach
[2008/08/26 07:48:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\extensions\videodowloader@videodownloader.net
[2009/10/09 11:28:01 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/08/26 07:47:22 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/06 07:08:21 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/03/18 13:53:32 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/04/15 18:05:04 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2008/08/26 07:47:22 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\inspector@mozilla.org
[2008/08/26 07:47:03 | 00,066,408 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2008/08/26 07:47:03 | 00,054,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/08/26 07:47:03 | 00,034,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2008/08/26 07:47:05 | 00,046,456 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2008/08/26 07:47:06 | 00,171,880 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2009/03/09 04:19:09 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2007/10/20 00:54:06 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2007/10/20 00:54:50 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2007/07/10 08:18:10 | 00,069,632 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
[2008/08/26 07:47:17 | 00,022,400 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/09/16 16:53:11 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/09/16 16:53:11 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/09/16 16:53:11 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/09/16 16:53:12 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/09/16 16:53:12 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/09/16 16:53:12 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2006/11/09 15:20:00 | 02,111,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2008/08/26 07:47:20 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/08/26 07:47:20 | 00,002,206 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2008/08/26 07:47:20 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/08/26 07:47:20 | 00,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2008/08/26 07:47:20 | 00,001,077 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/08/26 07:47:20 | 00,002,368 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2008/08/26 07:47:20 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\iVideoCodec\isaddon.dll File not found
O2 - BHO: (SBCONVERT Class) - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll File not found
O2 - BHO: (Tunebite_WebRipPlugin Class) - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll (RapidSolution Software)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1A29A79A-B9C8-44A9-BEDF-7FADDE3CF33F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [pdfSaver3] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SM1BG] C:\WINDOWS\SM1bg.exe (Cypress Semiconductor)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O4 - Startup: C:\Documents and Settings\Steven\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThemesTab = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = -1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: &Google Search - c:\program files\google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm ()
O8 - Extra context menu item: Backward Links - c:\program files\google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O8 - Extra context menu item: Download Images by Picture Finder - C:\Program Files\Super Picture Finder Grabber\pf_link.htm File not found
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Similar Pages - c:\program files\google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - c:\program files\google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ltd.uk ([old.whitelight] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0A742471-6B4B-4419-A0B2-68E4A9FF5ACD} file://C:\ActivLite\btlocal3.cab (BTLocalAPI.BTlocal)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnote...ad/mnviewer.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} http://download.microsoft.com/download/7/4...helpcontrol.cab (Microsoft Genuine Advantage Self Support Tool)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab (MALPlaybackCtrl Class)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1005.cab (MySpace Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1185519561921 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/...tiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} http://java.sun.com/products/plugin/1.3.0_...-130_02-win.cab (Reg Error: Key error.)
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} http://www.euras.com...ivex2/euras.CAB (EURAS_Portal.Gateway)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} http://chat.msn.com/...s/msnchat45.cab (MSN Chat Control 4.5)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/03/27 07:40:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/10/20 15:50:52 | 00,003,474 | ---- | M] () - F:\AUTOEXEC.BAT -- [ FAT ]
O33 - MountPoints2\{077ffd6a-7c40-11dd-a85e-00115b925b42}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe -- File not found
O33 - MountPoints2\{71d21bfd-c179-11dd-a8f6-00115b925b42}\Shell - "" = AutoRun
O33 - MountPoints2\{71d21bfd-c179-11dd-a8f6-00115b925b42}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{71d21bfd-c179-11dd-a8f6-00115b925b42}\Shell\AutoRun\command - "" = E:\DTSP_Launcher.exe -- File not found
O33 - MountPoints2\{ba71580c-20fc-11de-a9ae-00115b925b42}\Shell - "" = AutoRun
O33 - MountPoints2\{ba71580c-20fc-11de-a9ae-00115b925b42}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ba71580c-20fc-11de-a9ae-00115b925b42}\Shell\AutoRun\command - "" = K:\DTSP_Launcher.exe -- File not found
O33 - MountPoints2\{bd4ad1a6-ed67-11da-bb21-000e505753fb}\Shell\AutoRun\command - "" = I:\setupSNK.exe -- File not found
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\DTSP_Launcher.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/10/19 17:40:11 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/03 19:12:55 | 00,527,872 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
[2009/11/03 18:18:43 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Steven\Desktop\RootRepeal.exe
[2009/11/03 12:11:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steven\Application Data\Malwarebytes
[2009/11/03 12:11:42 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/03 12:11:40 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/03 12:11:40 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/03 12:11:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/03 12:08:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/03 12:06:56 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/11/03 11:47:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steven\Desktop\System Security Tools
[2009/11/01 11:51:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steven\Desktop\stuff for mick
[2009/10/25 18:30:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steven\Desktop\MKIV master playlists
[2004/10/14 14:44:15 | 00,036,963 | R--- | C] (Cypress Semiconductor) -- C:\Program Files\Common Files\SM1updtr.dll
[2004/10/14 14:33:35 | 00,014,968 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2004/10/14 14:31:54 | 00,095,656 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2004/10/14 14:31:54 | 00,013,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2004/10/14 14:31:53 | 01,300,968 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2004/10/14 14:31:53 | 00,635,200 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2004/10/14 14:31:53 | 00,230,584 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2004/10/14 14:31:53 | 00,180,592 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2004/10/14 14:31:53 | 00,013,776 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\RecAgent.sys

========== Files - Modified Within 14 Days ==========

[2009/11/03 19:47:58 | 02,985,248 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/11/03 19:47:58 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Hi.doc
[2009/11/03 19:27:34 | 83,073,568 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/11/03 19:13:04 | 00,527,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steven\Desktop\OTL.exe
[2009/11/03 18:52:49 | 00,134,787 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\RootRepeal.dmp
[2009/11/03 18:29:10 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\settings.dat
[2009/11/03 18:21:04 | 00,006,956 | ---- | M] () -- C:\WINDOWS\Steven8.xlb
[2009/11/03 18:20:49 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Steven\My Documents\Geeks2Go.doc
[2009/11/03 18:18:48 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Steven\Desktop\RootRepeal.exe
[2009/11/03 15:04:37 | 00,132,608 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\MKIV_2.wpp
[2009/11/03 12:28:06 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/03 12:25:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/03 12:24:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/03 12:24:51 | 10,732,70784 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/03 12:24:01 | 00,284,828 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/11/03 12:24:00 | 01,117,136 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/11/03 12:23:37 | 13,107,200 | -H-- | M] () -- C:\Documents and Settings\Steven\NTUSER.DAT
[2009/11/03 12:23:33 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Steven\ntuser.ini
[2009/11/03 12:07:33 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Steven\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/11/03 12:05:18 | 00,111,912 | ---- | M] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/03 12:04:09 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CDEADD90-D879-43F0-A7D9-248D468F9E63}.job
[2009/11/03 09:14:29 | 08,503,296 | ---- | M] () -- C:\WINDOWS\outlook.pst
[2009/11/02 12:12:52 | 00,002,399 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Microsoft AutoRoute (2).lnk
[2009/10/31 13:12:24 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Clive.doc
[2009/10/31 12:39:35 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/28 15:56:34 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Steven\My Documents\Master Playlist October 2009.xls
[2009/10/27 20:10:51 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/10/26 11:08:23 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Mull.doc
[2009/10/26 09:11:54 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Webmaster.doc
[2009/10/25 18:21:34 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\Mkiv setlist 071109.doc
[2009/10/25 17:22:35 | 00,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/25 17:22:35 | 00,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/25 17:22:34 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/23 08:21:25 | 00,431,037 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\AAR96-04.pdf
[2009/10/22 11:56:21 | 00,153,085 | ---- | M] () -- C:\Documents and Settings\Steven\Desktop\JR_Demo_scan.jpg

========== Files Created - No Company Name ==========

[2009/11/03 19:47:57 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\Hi.doc
[2009/11/03 18:52:49 | 00,134,787 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\RootRepeal.dmp
[2009/11/03 18:21:52 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\settings.dat
[2009/11/03 18:20:49 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Steven\My Documents\Geeks2Go.doc
[2009/11/03 12:07:33 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Steven\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/10/31 13:12:24 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\Clive.doc
[2009/10/28 15:55:19 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Steven\My Documents\Master Playlist October 2009.xls
[2009/10/26 11:08:22 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\Mull.doc
[2009/10/26 09:11:54 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\Webmaster.doc
[2009/10/25 18:21:33 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\Mkiv setlist 071109.doc
[2009/10/23 08:21:25 | 00,431,037 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\AAR96-04.pdf
[2009/10/22 11:56:21 | 00,153,085 | ---- | C] () -- C:\Documents and Settings\Steven\Desktop\JR_Demo_scan.jpg
[2009/07/13 12:57:24 | 00,000,129 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\fusioncache.dat
[2008/12/18 14:50:07 | 00,000,134 | ---- | C] () -- C:\WINDOWS\huffyuv.ini
[2008/09/14 17:53:13 | 00,023,969 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\Comma Separated Values (Windows).ADR
[2008/08/08 07:21:00 | 00,000,365 | ---- | C] () -- C:\WINDOWS\VivTV.ini
[2008/07/08 06:09:24 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2008/06/18 14:59:56 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/16 14:30:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\AoADVDRipper.INI
[2008/01/17 13:11:40 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/10/20 00:56:16 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/10/20 00:54:28 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/10/20 00:54:28 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/10/18 09:02:34 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/09/06 08:12:54 | 00,000,030 | ---- | C] () -- C:\WINDOWS\BOXPLOT.INI
[2007/08/30 21:13:50 | 00,000,059 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
[2007/08/30 21:08:45 | 00,000,082 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
[2007/07/25 13:24:28 | 01,559,040 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/03/05 12:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/08 12:17:05 | 00,032,256 | ---- | C] () -- C:\WINDOWS\System32\xqpdai.dll
[2006/12/20 12:08:07 | 00,002,145 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/11/06 20:20:58 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2006/10/09 13:01:06 | 00,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2006/07/27 07:10:30 | 00,000,949 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\AutoGK.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/06/22 06:35:29 | 00,000,861 | ---- | C] () -- C:\WINDOWS\pagebreeze.ini
[2006/06/22 06:35:29 | 00,000,044 | ---- | C] () -- C:\WINDOWS\formbreeze.ini
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/02/27 13:30:32 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/01/15 16:51:45 | 00,000,568 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2006/01/15 16:16:02 | 00,009,206 | ---- | C] () -- C:\WINDOWS\NTTuner.ini
[2005/12/13 11:29:42 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2005/12/13 11:29:39 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2005/11/27 18:41:10 | 00,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2005/10/11 08:13:48 | 00,000,055 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\WaveBreaker.ini
[2005/09/23 21:15:04 | 01,798,144 | ---- | C] () -- C:\WINDOWS\System32\ltmm_n.dll
[2005/09/08 20:07:38 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\pldefl.dll
[2005/09/03 19:14:10 | 00,000,084 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/08/31 12:08:14 | 00,000,055 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\PixxxGrabber Favorites.html
[2005/08/31 12:08:11 | 00,000,169 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\PixxxGrabber Preferences.ini
[2005/08/23 09:57:12 | 00,030,192 | ---- | C] () -- C:\WINDOWS\System32\WinImg.dll
[2005/08/12 14:20:55 | 00,000,082 | ---- | C] () -- C:\Program Files\CIMAMngFreePaper8100.ini
[2005/08/12 14:12:01 | 00,000,100 | ---- | C] () -- C:\Program Files\ECDCIMAMngFreePaper8.ini
[2005/08/04 18:49:21 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\PGPtclP11.dll
[2005/07/04 12:04:36 | 00,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2005/07/04 12:00:36 | 00,000,008 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2005/07/04 11:59:27 | 00,000,572 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2005/07/04 11:56:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2005/07/04 11:55:13 | 00,001,389 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2005/07/04 11:55:13 | 00,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2005/07/01 14:53:13 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/07/01 14:44:02 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6d.DLL
[2005/06/25 17:52:18 | 00,000,179 | ---- | C] () -- C:\WINDOWS\WIZ.INI
[2005/05/22 20:28:32 | 00,000,044 | ---- | C] () -- C:\WINDOWS\liveup.ini
[2005/04/17 08:38:06 | 00,000,082 | ---- | C] () -- C:\Program Files\CIMAMngFreePaper5100.ini
[2005/04/17 08:32:10 | 00,000,082 | ---- | C] () -- C:\Program Files\CIMAMngFreePaper2100.ini
[2005/03/15 19:45:16 | 00,000,044 | ---- | C] () -- C:\WINDOWS\T396.ini
[2005/02/22 23:18:46 | 02,151,670 | -H-- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\IconCache.db
[2005/02/22 11:05:12 | 00,000,007 | ---- | C] () -- C:\WINDOWS\_win32_system_info.dll
[2005/02/22 11:05:12 | 00,000,002 | ---- | C] () -- C:\WINDOWS\_win32_system_data.dll
[2005/02/22 11:05:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\_win32_system.dll
[2005/02/22 10:56:54 | 00,000,135 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/02/22 10:56:18 | 00,201,216 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/02/05 07:29:54 | 00,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2005/01/15 20:31:09 | 00,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2005/01/15 20:31:08 | 00,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/13 07:47:02 | 00,000,047 | ---- | C] () -- C:\WINDOWS\T171.ini
[2005/01/13 07:46:47 | 00,109,568 | ---- | C] () -- C:\WINDOWS\System32\JGFR400.DLL
[2005/01/09 12:21:00 | 00,000,236 | ---- | C] () -- C:\Documents and Settings\Steven\Application Data\wklnhst.dat
[2005/01/09 12:20:27 | 00,111,912 | ---- | C] () -- C:\Documents and Settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2005/01/09 12:20:27 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Steven\Application Data\desktop.ini
[2004/10/19 09:23:30 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/10/14 19:42:14 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2004/10/14 14:37:01 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/10/14 14:33:35 | 00,528,384 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2004/10/14 14:33:35 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2004/10/14 14:33:35 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\SLMOHServ.dll
[2004/10/14 14:31:53 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2004/10/14 14:31:53 | 00,163,840 | ---- | C] () -- C:\WINDOWS\System32\SLGen.dll
[2004/10/14 14:31:52 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2004/10/14 14:28:21 | 00,108,023 | R--- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/10/14 14:28:01 | 00,102,899 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/10/14 13:56:55 | 00,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2004/10/14 13:49:13 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2004/10/14 13:47:07 | 00,135,168 | R--- | C] () -- C:\WINDOWS\System32\property.dll
[2004/10/14 13:46:40 | 00,139,264 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2004/10/05 22:37:20 | 00,258,048 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2003/08/07 19:01:50 | 00,126,464 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/03/27 08:50:12 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/03/27 06:28:14 | 00,001,388 | R--- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/03/27 06:27:44 | 00,001,149 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/03/27 06:27:38 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/03/26 23:33:04 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2002/10/15 22:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[1996/11/21 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/21 00:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/21 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2006/10/09 13:19:18 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\dslic
[2007/04/10 11:14:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\dsppro0
[2005/01/26 18:02:52 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FirstClass
[2005/10/24 17:45:56 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Mindjet
[2005/12/13 22:47:36 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2008/05/08 13:41:06 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2005/08/04 18:49:22 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PGP Corporation
[2009/07/15 07:46:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution
[2009/10/09 12:02:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedBit
[2009/10/09 12:07:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/01/05 11:15:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zabersoft
[2009/07/13 12:57:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\ATI
[2009/10/02 14:51:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Canon
[2007/03/29 07:42:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\CD-LabelPrint
[2009/02/05 22:52:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Cimaware
[2008/06/02 20:08:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\DNA
[2005/09/07 06:11:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Inspiration Software
[2007/07/16 15:24:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Kingston
[2009/10/12 17:15:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Ku6 Downloader(xmlbar)
[2005/09/06 09:32:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\LCt
[2006/02/20 09:04:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Mp3tag
[2008/05/08 13:40:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\NCH Swift Sound
[2009/02/06 07:12:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\OpenOffice.org
[2005/08/04 18:49:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\PGP Corporation
[2005/08/23 08:53:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\PictureRipper
[2007/08/30 21:08:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\PixelMetrics
[2008/05/08 13:41:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Recordpad
[2008/04/25 06:54:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Serif
[2005/07/19 06:55:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Seven Zip
[2008/08/03 17:26:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Sibelius Software
[2005/03/01 08:23:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\Template
[2009/03/02 10:30:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\tunebite
[2005/09/06 07:40:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steven\Application Data\{9E3A8735-9ABB-468A-A982-A50862FC9AB3}
[2002/08/29 19:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/03 12:28:06 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/11/03 12:25:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/03 12:04:09 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{CDEADD90-D879-43F0-A7D9-248D468F9E63}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/03 23:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2002/08/29 12:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\Documents and Settings\Steven\Desktop\Rescue\i386\system32\scecli.dll
[2002/08/29 12:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\pebuilder3110a\I386\SYSTEM32\SCECLI.DLL
[2004/08/03 23:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2002/08/29 12:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\Documents and Settings\Steven\Desktop\Rescue\i386\system32\netlogon.dll
[2002/08/29 12:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\pebuilder3110a\I386\SYSTEM32\NETLOGON.DLL
[2004/08/03 23:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2002/08/29 12:00:00 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\Documents and Settings\Steven\Desktop\Rescue\i386\system32\drivers\atapi.sys
[2002/08/29 12:00:00 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\pebuilder3110a\I386\SYSTEM32\DRIVERS\ATAPI.SYS
[2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] () MD5 -- C:\WINDOWS\system32\drivers\atapi.sys
[2002/08/29 12:00:00 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 22:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0938FDDA
< End of report >





I would be very grateful for help on what to do next.

Thanks,

#2 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 03 November 2009 - 03:46 PM

Hello there :) Welcome to the GeeksToGo forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

  • The fixes are specific to your problem and should only be used on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
  • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


Step 1

Note: Disabling any security programs you have running will significantly increase the chances of the following working as it should. Please disable AntiViruses, AntiSpywares and Firewalls before continuing on with my instructions. For instructions, if needed, see HERE or HERE

Download Combofix from any of the links below but rename the file to SasfisBeGone before saving it to your desktop.

To do so in Internet Explorer right click one of the links and select "Save Target As.." from the options. This will open a Save box where you should navigate to your Desktop and change the name in the textbox on the bottom.
To get the same box in Firefox right click one of these links and select "Save Link As.." from the menu.

Link 1
Link 2


==================================


Double click on the SasfisBeGone.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • If you are asked to allow ComboFix to download and install the Recovery Console or have it update, let it do so.
  • Please post the results that are saved at C:\ComboFix.txt in your next reply

#3 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 04 November 2009 - 02:41 AM

Hi NeonFX,

Many thanks for the help.

I've downloaded ComboFix and it seemed to run all ok. I had to install the recovery console. It did say at one point that it had found a Rootkit infection and requested a reboot. After it had finished it seemed to have wiped out my Kaspersky entry fromthe task bar - I had to restart it from the programs folder. It then complained that ComboFix was a 'heur.invader', which I presume is normal?

Here's the log:

ComboFix 09-11-03.03 - Steven 04/11/2009 7:51.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.661 [GMT 0:00]
Running from: c:\documents and settings\Steven\Desktop\SasfixBeGone.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2781504589-2382750585-1605616401-1003
c:\recycler\S-1-5-21-3657561249-2230923689-572454927-1003
c:\windows\system32\logs

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-03 12:11 . 2009-11-03 12:11 -------- d-----w- c:\documents and settings\Steven\Application Data\Malwarebytes
2009-11-03 12:11 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 12:11 . 2009-11-03 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 12:11 . 2009-11-03 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 12:11 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 12:06 . 2009-11-03 12:07 -------- d-----w- c:\program files\ERUNT
2009-11-02 20:22 . 2009-11-02 20:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-02 09:46 . 2009-11-02 09:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-12 17:15 . 2009-10-12 17:15 -------- d-----w- c:\documents and settings\Steven\Application Data\Ku6 Downloader(xmlbar)
2009-10-12 17:15 . 2009-10-12 17:15 -------- d-----w- c:\program files\Xmlbar
2009-10-12 08:01 . 2009-10-28 13:45 -------- d-----w- c:\documents and settings\Steven\Application Data\vlc
2009-10-12 07:58 . 2009-10-12 07:58 -------- d-----w- c:\program files\VideoLAN
2009-10-09 12:02 . 2009-10-09 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-10-09 12:02 . 2009-10-09 12:02 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2009-10-09 12:02 . 2009-10-09 12:04 -------- d-----w- c:\program files\DAP
2009-10-09 12:01 . 2009-10-12 16:00 -------- d-----w- c:\program files\SpeedBit Video Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 08:07 . 2008-01-20 17:45 2995232 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-04 08:07 . 2008-01-20 17:45 83207968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-04 08:05 . 2008-01-20 17:45 286004 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-04 08:05 . 2008-01-20 17:45 1120592 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-04 07:30 . 2005-01-10 18:37 -------- d-----w- c:\program files\PocoMail
2009-11-04 07:10 . 2008-01-20 17:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-03 12:05 . 2005-01-09 12:20 111912 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 07:44 . 2005-02-22 11:03 -------- d-----w- c:\program files\Twins Video Player
2009-10-09 12:07 . 2007-01-02 11:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-07 08:24 . 2005-02-15 07:13 -------- d-----w- c:\documents and settings\Steven\Application Data\Apple Computer
2009-10-02 14:51 . 2005-11-25 07:58 -------- d-----w- c:\documents and settings\Steven\Application Data\Canon
2009-10-01 09:29 . 2009-10-03 12:45 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-11 14:18 . 2004-10-14 19:44 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-10-14 19:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-01-21 15:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-10-14 19:44 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 18:24 . 2004-10-19 10:51 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-10-19 10:51 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2005-05-26 03:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2005-01-11 18:23 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-10-14 19:45 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-10-14 19:42 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-10-19 10:51 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2007-07-29 09:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23 . 2007-04-16 21:43 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 18:23 . 2004-10-14 19:45 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 13:53 . 2005-01-09 12:21 236 ----a-w- c:\documents and settings\Steven\Application Data\wklnhst.dat
2005-08-12 14:20 . 2005-08-12 14:20 82 ----a-w- c:\program files\CIMAMngFreePaper8100.ini
2005-08-12 14:12 . 2005-08-12 14:12 100 ----a-w- c:\program files\ECDCIMAMngFreePaper8.ini
2005-04-17 08:38 . 2005-04-17 08:38 82 ----a-w- c:\program files\CIMAMngFreePaper5100.ini
2005-04-17 08:32 . 2005-04-17 08:32 82 ----a-w- c:\program files\CIMAMngFreePaper2100.ini
2003-08-27 13:19 . 2004-10-14 14:44 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2008-08-26 07:47 . 2007-02-05 09:38 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-08-26 07:47 . 2007-02-05 09:38 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-26 07:47 . 2007-02-05 09:38 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-08-26 07:47 . 2007-02-05 09:38 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-08-26 07:47 . 2007-02-05 09:38 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-06-29 286720]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Steven\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [2005-1-15 111376]
Microsoft Office Shortcut Bar.Lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [2005-1-15 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [2005-1-15 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-14 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.lnk
backup=c:\windows\pss\PGPtray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Slim Multimedia Keyboard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Slim Multimedia Keyboard.lnk
backup=c:\windows\pss\Slim Multimedia Keyboard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven^Start Menu^Programs^Startup^RSI Protector.lnk]
path=c:\documents and settings\Steven\Start Menu\Programs\Startup\RSI Protector.lnk
backup=c:\windows\pss\RSI Protector.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"PolicyAgent"=2 (0x2)
"NtLmSsp"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=
"c:\\Program Files\\CSLU\\Tcl80\\bin\\wish80.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\T396\\flex\\PRO386W.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [18/05/2007 16:04 11886]
R2 PGPsdkServ;PGPsdkService;c:\windows\system32\PGPsdkServ.exe [04/08/2005 18:49 77824]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [05/10/2006 22:11 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [13/12/2007 13:28 24592]
S3 NuVision;Hauppauge WinTV USB Live Pro;c:\windows\system32\drivers\Nuvision.sys [15/01/2006 16:16 260144]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-10-05 22:11]

2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{CDEADD90-D879-43F0-A7D9-248D468F9E63}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: Download Images by Picture Finder - c:\program files\Super Picture Finder Grabber\pf_link.htm
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: ltd.uk\old.whitelight
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A742471-6B4B-4419-A0B2-68E4A9FF5ACD} - file://c:\activlite\btlocal3.cab
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\9x4v4h5d.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-pdfSaver3 - (no file)
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 08:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-914090876-3646181656-3495054330-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(888)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(2444)
c:\windows\system32\WININET.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-11-04 8:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 08:17

Pre-Run: 7,217,815,552 bytes free
Post-Run: 7,080,800,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

#4 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 04 November 2009 - 11:55 AM

You did good by ignoring Kaspersky. 'heur.invader' is another way of saying "My Heuristics scan detected that this program acts like an invader", and yes it's normal for antivirus and security programs to get suspicious of our tools. That's why we need people to disable them most the times when we run them.

It seems that took care of the problem :) Since you already have MalwareBytes AntiMalware let's skip right on to the step after that which is an online scan. This will take a while but it's well worth it as it can often find things all other scanners will miss.

Run ESET Online Scan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

You can refer to this animation by neomage if needed.

#5 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 04 November 2009 - 12:31 PM

Thanks very much for your help so far. I will be away from the computer for the next day or so, so it will take me a short while to do the next step.
I haven't given up, just busy!
I'll be back as soon as I can, maybe tomorrow...

#6 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 04 November 2009 - 12:37 PM

Alright. Take your time, there's no rush :)

#7 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 06 November 2009 - 01:26 AM

OK, done it!

I couldn't get ESET to run with IE8, no way. I addded it to the trusted zone and accepted various warnings- but no way. In the end I ran it under Firefox instead...

Here's the result:

C:\backup\PocoMail.bak\Attach\Attached message220.eml HTML/TrojanSpy.Bankfraud.OQ trojan contained infected files
C:\backup\PocoMail.bak\Attach\Attached message442.eml HTML/Bankfraud.PD trojan cleaned by deleting - quarantined
C:\backup\PocoMail.bak\Attach\Attached message443.eml HTML/Bankfraud.PD trojan cleaned by deleting - quarantined
C:\backup\PocoMail.bak\Attach\Attached message479.eml HTML/Fraud.L trojan contained infected files
C:\backup\PocoMail.bak\Attach\Attached message62.eml HTML/Phishing.gen trojan cleaned by deleting - quarantined
C:\backup\PocoMail.bak\Attach\Attached message804.eml HTML/Phishing.gen trojan cleaned by deleting - quarantined
C:\backup\PocoMail.bak\Mail\In.mbx HTML/Phishing.gen trojan contained infected files
C:\Program Files\PocoMail\Attach\Attached message220.eml HTML/TrojanSpy.Bankfraud.OQ trojan contained infected files
C:\Program Files\PocoMail\Attach\Attached message442.eml HTML/Bankfraud.PD trojan cleaned by deleting - quarantined
C:\Program Files\PocoMail\Attach\Attached message443.eml HTML/Bankfraud.PD trojan cleaned by deleting - quarantined
C:\Program Files\PocoMail\Attach\Attached message479.eml HTML/Fraud.L trojan contained infected files
C:\Program Files\PocoMail\Attach\Attached message62.eml HTML/Phishing.gen trojan cleaned by deleting - quarantined
C:\Program Files\PocoMail\Attach\Attached message804.eml HTML/Phishing.gen trojan cleaned by deleting - quarantined
C:\Program Files\PocoMail\Mail\In.mbx HTML/Phishing.gen trojan contained infected files
C:\Program Files\PocoMail\Mail\In.~mbx HTML/Phishing.gen trojan contained infected files
C:\WINDOWS\system32\ActiveScan\pskavs.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

#8 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 06 November 2009 - 01:37 AM

Good. All it found was infected emails and a false positive.

How's the computer running?

#9 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 06 November 2009 - 03:09 AM

The computer is running absolutely fine, no sign of any problems, no spurious redirects from IE8 and no worrying messages from Kaspersky. It is looking good :)

#10 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 06 November 2009 - 08:15 AM

Excellent. Let's cleanup.

STEP 1

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)


ComboFix /Uninstall

STEP 2

To clean up OldTimer's tools, along with a few others, do the following:



  • Run OTL.exe by double clicking on it
  • Click on the "CleanUp" button on the top.
  • You will be asked if you wish to reboot your system, select "Yes"





STEP 3

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (Programs and Features in Vista/7)

All Clean

Congratulations!, Posted Image, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates


Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlockList Pro's HOSTS Manager HERE



  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save




You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

Read further information HERE on how to prevent Malware infections and keep yourself clean.

#11 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 09 November 2009 - 01:49 AM

Ok, done all that. I now have Secunia and Scotty running and the Hosts file installed.
Everything out of date has been updated or uninstalled. Secunia gives a 100% score.

Combofix /uninstall didn't work - it reckoned it wasn't installed. I tried 'SasfisBeGone' or whatever we called it, too... but it couldn't find it.

It is a bit worrying to me that I got infected in the first place. I'm not aware that I did anything daft (opening any junk mail or downloading any dodgy programs) and I had an up to date virus checker (Kaspersky) and Windows was set to update regularly (a real pain, as sometimes updates insist on reboots when you need to use the computer and about six months ago they released a service pack which effectively sabotaged many AMD computers. It took about 3 days work to get mine running again :) Not a fan of letting microsoft fiddle with my computer anymore, but auto update is still on, as otherwise Kaspersky gets upset...)

But alas, this didn't save me :)

I hope Scotty may help in the future.

Thanks very much for all your help :)

I hope I won't need it again too soon...

#12 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 09 November 2009 - 02:01 AM

You managed to grab one of the latest and greatest the malware makers have come up with. The companies haven't caught up yet. You would have had the same luck with any of the popular security programs out there.

The OTS cleanup step will take care of anything the ComboFix uninstall missed except for one thing: cleaning up your system restore backups. Your computer could be saving backups of the infection so you will need to clean those out. See HERE for instructions.

#13 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 09 November 2009 - 02:08 AM

Let me know when you've done that or if you need something else so that I can close this up.

#14 swr_e007

  • Group: Member
  • Posts: 11
  • Joined: 03-November 09

Posted 09 November 2009 - 03:54 AM

All done,

Just one question, do I turn system resore backon again? The instrctions don't say to do this. Didn't one of the utilities I installed (system restore or something?) make a restore point every reboot?

#15 NeonFx

  • Group: GeekU Moderator
  • Posts: 3,643
  • Joined: 09-November 08

Posted 09 November 2009 - 04:13 AM

Quote

All system restore points are deleted. Now you should manually create a restore point.


Creating a restore point is the same thing as turning it back on.

Share this topic:


  • 2 Pages +
  • 1
  • 2