Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

webpage redirect, linked to njg.exe [Solved]


  • This topic is locked This topic is locked

#1
serpntene

serpntene

    Member

  • Member
  • PipPip
  • 67 posts
Antivir stopped autoscanning and I hadn't realized it. Mbam cannot be updated but finds no infection after njg.exe was removed, yet still being redirected when clicking links on sites and recieving virus warnings. Antivir found only one file that needed repair.

OTL log is from this morning, but I have GMER from early this morning/late last night and no changes have been made to system since they were run.


OTL logfile created on: 1/30/2010 12:18:43 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Rebecca Cooper\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 83.00 Mb Available Physical Memory | 22.00% Memory free
920.00 Mb Paging File | 432.00 Mb Available in Paging File | 47.00% Paging File free
Paging file location(s): c:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 90.78 Gb Free Space | 81.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RCOOPER
Current User Name: Rebecca Cooper
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/30 12:15:37 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
PRC - [2010/01/06 18:46:07 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/06 16:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/11/07 15:40:52 | 017,421,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 07:00:00 | 000,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe


========== Modules (SafeList) ==========

MOD - [2010/01/30 12:15:37 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
MOD - [2008/04/13 19:12:08 | 000,149,504 | ---- | M] () -- C:\WINDOWS\ureconisixe.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/16 18:16:44 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CE436162-C178-4635-BFA4-F00E8FBFEF6C}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{CE436162-C178-4635-BFA4-F00E8FBFEF6C}: C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\{CE436162-C178-4635-BFA4-F00E8FBFEF6C} [2010/01/29 18:26:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 18:46:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/29 18:39:56 | 000,000,000 | ---D | M]

[2009/06/28 23:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Mozilla\Extensions
[2010/01/29 20:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Mozilla\Firefox\Profiles\im81q534.default\extensions
[2010/01/29 20:28:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/01 23:21:55 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Tnadecaguh] C:\WINDOWS\ureconisixe.DLL ()
O4 - HKCU..\Run: [F5JMWNZTHI] C:\DOCUME~1\REBECC~1\LOCALS~1\Temp\Njg.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKCU\..Trusted Domains: 5 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} http://games.bigfish...eb.1.0.0.15.cab (CPlayFirstDairyDashWControl Object)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://games.bigfish...Web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {1CDFA4E8-3396-439D-8C9D-AD0E32DE94B6} http://www.arcadetow...net.1.0.0.4.cab (CPlayFirsttastyplanetControl Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8ADC4409-4FBF-4224-B73F-2392C721BCB4} http://games.bigfish...amesControl.cab (GenimoWebGames Control)
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} http://games.bigfish...esPlayer_v4.cab (GoBit Games Player)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} http://zone.msn.com/...sh.1.0.0.50.cab (CPlayFirstWeddingDasControl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.14,93.188.166.53
O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll c:\windows\system32\zomejuhe.dll) - C:\WINDOWS\System32\kbdsock.dll File not found
O20 - AppInit_DLLs: (tuvikize.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O21 - SSODL: sumonapuj - {fd133537-5e84-4609-b87c-f7eb084b7b27} - C:\WINDOWS\System32\zomejuhe.dll File not found
O22 - SharedTaskScheduler: {fd133537-5e84-4609-b87c-f7eb084b7b27} - kupuhivus - C:\WINDOWS\System32\zomejuhe.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Rebecca Cooper\Desktop\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rebecca Cooper\Desktop\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/29 22:13:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/01/01 22:43:39 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/30 12:15:34 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
[2010/01/29 22:01:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Desktop\gmer
[2010/01/29 19:37:03 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\TFC.exe
[2010/01/29 18:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\{CE436162-C178-4635-BFA4-F00E8FBFEF6C}
[2010/01/26 18:12:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\Yahoo!
[2010/01/22 14:47:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Desktop\irishTexting
[2010/01/21 18:05:19 | 000,000,000 | ---D | C] -- C:\Program Files\Avenue Flo
[2009/03/29 22:36:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/29 22:36:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/29 22:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/03/29 22:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/06/01 04:37:48 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

========== Files - Modified Within 14 Days ==========

[2010/01/30 12:15:37 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
[2010/01/30 11:39:46 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tlasac.dat
[2010/01/30 02:00:01 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\cjtermla.job
[2010/01/30 01:36:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Jcufivolupufax.bin
[2010/01/30 01:35:42 | 000,013,740 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/30 01:35:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/30 01:35:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/30 01:35:37 | 401,068,032 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/30 00:22:49 | 000,008,468 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\mbam-log-2010-01-29 (19-57-10).zip
[2010/01/29 22:01:05 | 000,002,610 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Attach.zip
[2010/01/29 21:59:16 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\dds.scr
[2010/01/29 21:53:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\defogger_reenable
[2010/01/29 21:52:49 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Defogger.exe
[2010/01/29 20:25:25 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job
[2010/01/29 20:13:00 | 401,096,704 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/01/29 19:58:27 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\gmer.zip
[2010/01/29 19:46:08 | 002,621,440 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\ntuser.dat
[2010/01/29 19:46:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Rebecca Cooper\ntuser.ini
[2010/01/29 19:37:04 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\TFC.exe
[2010/01/25 21:51:19 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/25 21:51:03 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/01/25 21:51:03 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/01/25 21:49:52 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/01/23 20:13:13 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\sysReserve.ini
[2010/01/21 18:05:54 | 000,001,572 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Play Avenue Flo.lnk
[2010/01/21 18:02:45 | 000,001,578 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Game Manager.lnk
[2010/01/19 23:58:06 | 000,001,255 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\JonaieResume.rtf

========== Files Created - No Company Name ==========

[2010/01/30 00:22:49 | 000,008,468 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\mbam-log-2010-01-29 (19-57-10).zip
[2010/01/29 22:01:05 | 000,002,610 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Attach.zip
[2010/01/29 21:59:14 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\dds.scr
[2010/01/29 21:53:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\defogger_reenable
[2010/01/29 21:52:48 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Defogger.exe
[2010/01/29 20:25:25 | 000,000,440 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job
[2010/01/29 19:58:25 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\gmer.zip
[2010/01/29 18:26:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcufivolupufax.bin
[2010/01/29 18:26:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tlasac.dat
[2010/01/23 20:13:13 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\sysReserve.ini
[2010/01/21 18:05:54 | 000,001,572 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Play Avenue Flo.lnk
[2010/01/21 18:02:45 | 000,001,578 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Game Manager.lnk
[2010/01/19 23:58:06 | 000,001,255 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\JonaieResume.rtf
[2009/12/27 20:37:36 | 000,000,024 | ---- | C] () -- C:\WINDOWS\wivrs.ini
[2009/11/04 13:05:52 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2009/03/30 01:20:32 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/15 06:43:50 | 000,013,765 | ---- | C] () -- C:\WINDOWS\System32\drivers\UCharger.sys
[2006/11/02 08:27:46 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SP207.ini
[2004/09/01 10:49:17 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/04 07:00:00 | 000,149,504 | ---- | C] () -- C:\WINDOWS\ureconisixe.dll
[2002/10/06 13:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/04 18:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002/10/04 18:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/04 18:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== LOP Check ==========

[2009/04/08 22:09:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Aveyond I
[2009/04/09 08:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
[2009/08/08 20:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CasualForge
[2009/06/08 01:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CaveDays
[2009/09/13 21:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EscapeFromParadise2
[2009/06/21 09:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EscapeTheMuseum
[2009/06/21 23:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\FreshGames
[2009/06/03 23:08:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fugazo
[2009/08/18 22:42:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GameHouse
[2010/01/11 09:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Genimo
[2010/01/20 03:37:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GoBit Games
[2009/06/21 00:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Gogii
[2009/04/20 22:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\HiddenSecretsNightmare
[2010/01/11 22:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Hot Lava Games
[2009/06/10 15:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InterAction studios
[2009/05/31 22:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin
[2009/05/31 17:10:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games
[2009/06/08 14:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ludia
[2009/04/11 17:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Mandragora
[2009/06/06 11:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Mean Hamster
[2009/11/04 13:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MumboJumbo
[2009/06/17 19:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MysteryChronicles
[2009/06/10 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MythPeople
[2009/10/19 20:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Namco
[2009/06/09 22:54:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NevoSoft Games
[2009/11/29 00:53:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
[2009/07/01 23:22:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PMB Files
[2009/04/11 17:36:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Questtracers
[2009/11/22 22:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sandlot Games
[2009/12/30 02:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
[2009/08/18 13:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SpecialBit
[2010/01/24 13:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/07/28 00:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\VirtualFarm
[2009/04/24 07:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildTangent
[2009/05/31 19:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildWestQuest2
[2009/04/05 19:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Aveyond II
[2009/12/28 11:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Azureus
[2009/06/06 12:49:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Balloon Express
[2009/06/21 01:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\BeachPartyCraze
[2009/12/18 10:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Big Fish Games
[2009/08/08 20:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\CasualForge
[2009/06/05 23:52:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\CupcakeCafe
[2009/06/10 20:26:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\EleFun Games
[2009/04/10 07:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\FrimaStudio
[2009/11/24 23:20:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Gaijin Ent
[2009/04/08 22:22:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Gamelab
[2009/12/30 02:51:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\GetRightToGo
[2009/06/09 00:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Home Sweet Home
[2009/06/10 00:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Home Sweet Home 2
[2009/04/11 08:53:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\ITTNord
[2009/07/28 16:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\iWin
[2009/06/08 14:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Ludia
[2009/10/09 22:56:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Magic Seeds
[2009/04/11 17:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Magus
[2009/06/06 11:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Mean Hamster
[2009/06/11 18:44:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Meridian93
[2009/10/19 20:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Namco
[2009/03/31 11:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Nexon
[2009/11/22 23:47:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Peace Craft
[2009/11/29 00:53:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\PlayFirst
[2009/04/05 21:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\ScreenSeven
[2009/06/10 16:36:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Shape games
[2009/04/25 16:30:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\SpinTop
[2009/06/08 11:42:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\SulusGames
[2009/06/11 20:40:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Super-Cow
[2009/06/09 17:51:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Teggo
[2009/06/11 21:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Turtle Odyssey II
[2009/04/10 11:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Ubisoft
[2009/06/18 01:35:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\ViquaSoft
[2009/04/24 07:42:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\WildTangent
[2009/06/08 13:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\World-LooM
[2009/07/11 22:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\YoudaGames
[2010/01/30 02:00:01 | 000,000,312 | ---- | M] () -- C:\WINDOWS\Tasks\cjtermla.job
[2010/01/29 20:25:25 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\RAID\drvdisk\x86\NT5\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\2K\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\drvdisk\x86\NT5\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\SRV2003\x86\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\XP\x86\viamraid.sys
[2007/07/12 18:35:36 | 000,118,184 | ---- | M] (VIA Technologies inc,.ltd) MD5=7352A2B1CA928AD8A95F75A1D868A0B5 -- C:\Documents and Settings\Administrator\Desktop\Winxp\RAID\drvdisk\x86\NT4\viamraid.sys
[2007/07/12 18:35:36 | 000,118,184 | ---- | M] (VIA Technologies inc,.ltd) MD5=7352A2B1CA928AD8A95F75A1D868A0B5 -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\drvdisk\x86\NT4\viamraid.sys
[2007/07/12 18:35:36 | 000,118,184 | ---- | M] (VIA Technologies inc,.ltd) MD5=7352A2B1CA928AD8A95F75A1D868A0B5 -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\NT4\viamraid.sys
[2007/07/13 13:05:28 | 000,120,832 | ---- | M] (VIA Technologies Inc.,Ltd) MD5=9E897F955AB8F912E4C1C9ADAF35762C -- C:\Documents and Settings\Administrator\Desktop\Winxp\RAID\drvdisk\VISTA\x86\viamraid.sys
[2007/07/13 13:05:28 | 000,120,832 | ---- | M] (VIA Technologies Inc.,Ltd) MD5=9E897F955AB8F912E4C1C9ADAF35762C -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\drvdisk\VISTA\x86\viamraid.sys
[2007/07/13 13:05:28 | 000,120,832 | ---- | M] (VIA Technologies Inc.,Ltd) MD5=9E897F955AB8F912E4C1C9ADAF35762C -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\VISTA\x86\viamraid.sys

< MD5 for: VIPRT.SYS >
[2007/10/18 17:28:52 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) MD5=020EB647FEA9187541827231CB236DCE -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\SRV2003\ViPrt.sys
[2007/10/18 17:28:52 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) MD5=020EB647FEA9187541827231CB236DCE -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\W2K\ViPrt.sys
[2007/10/18 17:28:52 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) MD5=020EB647FEA9187541827231CB236DCE -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\WXP\ViPrt.sys
[2007/10/19 17:03:14 | 000,053,192 | ---- | M] (VIA Technologies, Inc.) MD5=95155D0F72CE3C23C50A6E3B07BF1C71 -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\VISTA\ViPrt.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E866ED4D
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:587AA004
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF09BC9E
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E2C9E369
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:71441FEF
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:64EEA19D
@Alternate Data Stream - 398 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:141BCC26
@Alternate Data Stream - 339 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:995B275C
@Alternate Data Stream - 322 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1387592D
@Alternate Data Stream - 320 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B72729D8
@Alternate Data Stream - 311 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A7FB9004
@Alternate Data Stream - 308 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:202A6D97
@Alternate Data Stream - 307 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4EDC977B
@Alternate Data Stream - 303 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:90281753
@Alternate Data Stream - 297 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:72E74C26
@Alternate Data Stream - 293 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AF3A05F
@Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8F9D810
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BDCD0530
@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:059167AF
@Alternate Data Stream - 181 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A708668B
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:07E8CA28
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7B60301F
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:03033228
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4C97EF04
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4F29F38D
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A2F5F542
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8B1249CD
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5466F106
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:68800D8A
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1FA51BA6
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB338B9
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DEDAEF90
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:38849DE5
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D20FFA63
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C0A4F645
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CD95DE0
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60D735B2
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:589743E1
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:250A84D5
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0AEAE3CC
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:741CA49D
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5425B7F5
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3DAC3B29
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:30376ACC
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB603FE4
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8E864AC
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79108DDD
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FFE4BAC7
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:93C494CA
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1B79AEF3
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F5E0AE16
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A94968B5
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:399509A6
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB170088
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C76BA037
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:703CE963
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:037C8A9E
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DAFD38AE
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:95B7F1EC
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:615435BE
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EBFD4E6F
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98C1E88D
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B6FA1F20
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0651F96C
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74B502CB
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:47BE4EDF
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F8DACDA
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D23AE9EA
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B54102AD
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:ABE89FFE
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CCDAB14
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0860D6D6
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D31BE97C
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A6253983
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A02025CE
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB56A06
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6F1F1DBC
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8E60033F
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FF818E2B
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F1DEA771
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6DD87D86
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:666FB4AA
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5D351BC6
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:46ADD59D
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F93516B
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:710F4DBF
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5C826C73
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EA983230
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:96EE29A3
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:385BC52C
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:34B9286E
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E66B6127
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D29B16C5
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:94124B85
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:51A22C60
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2B4FA895
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:91A1C0FC
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3FC4A10A
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:19F494DE
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:16B49C20
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:052E15C3
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8DB81DC
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B1EEADE7
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:898C038B
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:375FC7E7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DF0BC727
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C3B5FCD5
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC7C9796
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC0A74A1
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E5F8E280
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:669764DD
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D28EBF99
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C22674B6
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:24FECE50
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:172EB9B5
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A688EF17
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8EEDCEA2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98AE08EA
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BBF60A29
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79A70C33
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A9E9471A
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF07EA98
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:33611CFB
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5FB7A2BD
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:561B1D2B
< End of report >
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,560 posts
:)

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Please read the following through carefully so that you understand what to do
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Run OTL.exe as follows:
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

  • 0

#3
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
13:57:01:000 3996 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
13:57:01:000 3996 ================================================================================
13:57:01:000 3996 SystemInfo:

13:57:01:000 3996 OS Version: 5.1.2600 ServicePack: 3.0
13:57:01:000 3996 Product type: Workstation
13:57:01:000 3996 ComputerName: RCOOPER
13:57:01:000 3996 UserName: Rebecca Cooper
13:57:01:000 3996 Windows directory: C:\WINDOWS
13:57:01:000 3996 Processor architecture: Intel x86
13:57:01:000 3996 Number of processors: 2
13:57:01:000 3996 Page size: 0x1000
13:57:01:015 3996 Boot type: Normal boot
13:57:01:015 3996 ================================================================================
13:57:01:015 3996 UnloadDriverW: NtUnloadDriver error 1
13:57:01:015 3996 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
13:57:01:015 3996 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
13:57:01:015 3996 LoadDriverW: Driver already loaded
13:57:01:015 3996 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
13:57:01:015 3996 UtilityInit: KLMD drop and load failed, trying to open device
13:57:01:015 3996 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
13:57:01:015 3996 UtilityInit: KLMD open success
13:57:01:015 3996 UtilityInit: Initialize success
13:57:01:015 3996
13:57:01:015 3996 Scanning Services ...
13:57:01:015 3996 CreateRegParser: Registry parser init started
13:57:01:015 3996 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
13:57:01:015 3996 CreateRegParser: DisableWow64Redirection error
13:57:01:031 3996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:57:01:031 3996 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
13:57:01:031 3996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:57:01:031 3996 wfopen_ex: Trying to KLMD file open
13:57:01:031 3996 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
13:57:01:031 3996 wfopen_ex: File opened ok (Flags 2)
13:57:01:031 3996 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384E30
13:57:01:031 3996 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:57:01:031 3996 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
13:57:01:031 3996 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:57:01:031 3996 wfopen_ex: Trying to KLMD file open
13:57:01:031 3996 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
13:57:01:031 3996 wfopen_ex: File opened ok (Flags 2)
13:57:01:031 3996 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384D20
13:57:01:031 3996 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
13:57:01:031 3996 CreateRegParser: EnableWow64Redirection error
13:57:01:031 3996 CreateRegParser: RegParser init completed
13:57:01:421 3996 GetAdvancedServicesInfo: Raw services enum returned 305 services
13:57:01:437 3996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:57:01:437 3996 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:57:01:437 3996
13:57:01:437 3996 Scanning Kernel memory ...
13:57:01:437 3996 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
13:57:01:437 3996 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 836C83B8
13:57:01:437 3996 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
13:57:01:437 3996
13:57:01:437 3996 DetectCureTDL3: DEVICE_OBJECT: 836B27E8
13:57:01:437 3996 KLMD_GetLowerDeviceObject: Trying to get lower device object for 836B27E8
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0x836B27E8[0x38]
13:57:01:437 3996 DetectCureTDL3: DRIVER_OBJECT: 836C83B8
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0x836C83B8[0xA8]
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0xE175B900[0x18]
13:57:01:437 3996 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:57:01:437 3996 DetectCureTDL3: IrpHandler (0) addr: F7895BB0
13:57:01:437 3996 DetectCureTDL3: IrpHandler (1) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (2) addr: F7895BB0
13:57:01:437 3996 DetectCureTDL3: IrpHandler (3) addr: F788FD1F
13:57:01:437 3996 DetectCureTDL3: IrpHandler (4) addr: F788FD1F
13:57:01:437 3996 DetectCureTDL3: IrpHandler (5) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (6) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (7) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (8) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (9) addr: F78902E2
13:57:01:437 3996 DetectCureTDL3: IrpHandler (10) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (11) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (12) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (13) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (14) addr: F78903BB
13:57:01:437 3996 DetectCureTDL3: IrpHandler (15) addr: F7893F28
13:57:01:437 3996 DetectCureTDL3: IrpHandler (16) addr: F78902E2
13:57:01:437 3996 DetectCureTDL3: IrpHandler (17) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (18) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (19) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (20) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (21) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (22) addr: F7891C82
13:57:01:437 3996 DetectCureTDL3: IrpHandler (23) addr: F789699E
13:57:01:437 3996 DetectCureTDL3: IrpHandler (24) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (25) addr: 804F9739
13:57:01:437 3996 DetectCureTDL3: IrpHandler (26) addr: 804F9739
13:57:01:437 3996 TDL3_FileDetect: Processing driver: Disk
13:57:01:437 3996 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
13:57:01:437 3996 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
13:57:01:437 3996 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
13:57:01:437 3996
13:57:01:437 3996 DetectCureTDL3: DEVICE_OBJECT: 8368EAB8
13:57:01:437 3996 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8368EAB8
13:57:01:437 3996 DetectCureTDL3: DEVICE_OBJECT: 836B4E98
13:57:01:437 3996 KLMD_GetLowerDeviceObject: Trying to get lower device object for 836B4E98
13:57:01:437 3996 DetectCureTDL3: DEVICE_OBJECT: 83783700
13:57:01:437 3996 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83783700
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0x83783700[0x38]
13:57:01:437 3996 DetectCureTDL3: DRIVER_OBJECT: 836A0C28
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0x836A0C28[0xA8]
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0xE174AFE0[0x1A]
13:57:01:437 3996 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
13:57:01:437 3996 DetectCureTDL3: IrpHandler (0) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (1) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (2) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (3) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (4) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (5) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (6) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (7) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (8) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (9) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (10) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (11) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (12) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (13) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (14) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (15) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (16) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (17) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (18) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (19) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (20) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (21) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (22) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (23) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (24) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (25) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: IrpHandler (26) addr: F77C1B3A
13:57:01:437 3996 DetectCureTDL3: All IRP handlers pointed to one addr: F77C1B3A
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0xF77C1B3A[0x400]
13:57:01:437 3996 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0x836A05FC[0x4]
13:57:01:437 3996 TDL3_IrpHookDetect: New IrpHandler addr: 837368C8
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0x837368C8[0x400]
13:57:01:437 3996 TDL3_IrpHookDetect: TDL3 is already cured
13:57:01:437 3996 KLMD_ReadMem: Trying to ReadMemory 0xF77BF864[0x400]
13:57:01:437 3996 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
13:57:01:437 3996 TDL3_FileDetect: Processing driver: atapi
13:57:01:437 3996 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk3.tmp
13:57:01:437 3996 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk3.tmp
13:57:01:468 3996 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk3.tmp - Verdict: Clean
13:57:01:468 3996
13:57:01:468 3996 Completed
13:57:01:468 3996
13:57:01:468 3996 Results:
13:57:01:468 3996 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
13:57:01:468 3996 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:57:01:468 3996 File objects infected / cured / cured on reboot: 0 / 0 / 0
13:57:01:468 3996
13:57:01:468 3996 UnloadDriverW: NtUnloadDriver error 1
13:57:01:468 3996 KLMD_Unload: UnloadDriverW(klmd21) error 1
13:57:01:468 3996 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
13:57:01:468 3996 UtilityDeinit: KLMD(ARK) unloaded successfully



c&p of custom text as directed, checked boxes as directed and chose file age 30 days but upon clicking quick scan all fields were reset to default. Did I do something wrong? Would you like me to go ahead and post the logs anyway or try again?

Also during scan recieved trojan.gen alert from antivir though antivir guard is disabled (not by virus, but so it won't interfere with our work).

Edited by serpntene, 30 January 2010 - 01:15 PM.

  • 0

#4
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please post the contents of these files in your next reply.
[/list][/list][/quote]


File Extras.txt was not generated after scan. Contents of OTL.txt follow

OTL logfile created on: 1/30/2010 2:26:35 PM - Run 2
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Rebecca Cooper\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 84.00 Mb Available Physical Memory | 22.00% Memory free
920.00 Mb Paging File | 568.00 Mb Available in Paging File | 62.00% Paging File free
Paging file location(s): c:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 90.80 Gb Free Space | 81.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RCOOPER
Current User Name: Rebecca Cooper
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/30 12:15:37 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
PRC - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/06 16:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/11/07 15:40:52 | 017,421,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 07:00:00 | 000,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe


========== Modules (SafeList) ==========

MOD - [2010/01/30 12:15:37 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
MOD - [2008/04/13 19:12:08 | 000,149,504 | ---- | M] () -- C:\WINDOWS\ureconisixe.dll
MOD - [2008/04/13 19:11:50 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/16 18:16:44 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CE436162-C178-4635-BFA4-F00E8FBFEF6C}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{CE436162-C178-4635-BFA4-F00E8FBFEF6C}: C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\{CE436162-C178-4635-BFA4-F00E8FBFEF6C} [2010/01/29 18:26:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 18:46:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/29 18:39:56 | 000,000,000 | ---D | M]

[2009/06/28 23:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Mozilla\Extensions
[2010/01/29 20:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Mozilla\Firefox\Profiles\im81q534.default\extensions
[2010/01/29 20:28:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/01 23:21:55 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Tnadecaguh] C:\WINDOWS\ureconisixe.DLL ()
O4 - HKCU..\Run: [F5JMWNZTHI] C:\DOCUME~1\REBECC~1\LOCALS~1\Temp\Njg.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKCU\..Trusted Domains: 5 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} http://games.bigfish...eb.1.0.0.15.cab (CPlayFirstDairyDashWControl Object)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://games.bigfish...Web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {1CDFA4E8-3396-439D-8C9D-AD0E32DE94B6} http://www.arcadetow...net.1.0.0.4.cab (CPlayFirsttastyplanetControl Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8ADC4409-4FBF-4224-B73F-2392C721BCB4} http://games.bigfish...amesControl.cab (GenimoWebGames Control)
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} http://games.bigfish...esPlayer_v4.cab (GoBit Games Player)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} http://zone.msn.com/...sh.1.0.0.50.cab (CPlayFirstWeddingDasControl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.14,93.188.166.53
O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll c:\windows\system32\zomejuhe.dll) - C:\WINDOWS\System32\kbdsock.dll File not found
O20 - AppInit_DLLs: (tuvikize.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O21 - SSODL: sumonapuj - {fd133537-5e84-4609-b87c-f7eb084b7b27} - C:\WINDOWS\System32\zomejuhe.dll File not found
O22 - SharedTaskScheduler: {fd133537-5e84-4609-b87c-f7eb084b7b27} - kupuhivus - C:\WINDOWS\System32\zomejuhe.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Rebecca Cooper\Desktop\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rebecca Cooper\Desktop\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/29 22:13:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/30 13:56:21 | 000,031,752 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/01/30 13:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Desktop\tdsskiller
[2010/01/30 12:15:34 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
[2010/01/29 22:01:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Desktop\gmer
[2010/01/29 19:37:03 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\TFC.exe
[2010/01/29 18:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\{CE436162-C178-4635-BFA4-F00E8FBFEF6C}
[2010/01/26 18:12:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\Yahoo!
[2010/01/22 14:47:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rebecca Cooper\Desktop\irishTexting
[2010/01/21 18:05:19 | 000,000,000 | ---D | C] -- C:\Program Files\Avenue Flo
[2009/03/29 22:36:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/29 22:36:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/29 22:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/03/29 22:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/06/01 04:37:48 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/30 14:00:00 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\cjtermla.job
[2010/01/30 13:56:21 | 000,031,752 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/01/30 13:55:37 | 000,176,392 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Rebecca Cooper\Desktop\TDSSKiller.exe
[2010/01/30 13:55:06 | 000,152,401 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\tdsskiller.zip
[2010/01/30 13:49:31 | 000,013,740 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/30 13:49:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/30 13:49:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/30 13:49:27 | 401,068,032 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/30 13:48:30 | 002,621,440 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\ntuser.dat
[2010/01/30 13:48:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Rebecca Cooper\ntuser.ini
[2010/01/30 13:47:06 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tlasac.dat
[2010/01/30 12:15:37 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\OTL.exe
[2010/01/30 01:36:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Jcufivolupufax.bin
[2010/01/30 00:22:49 | 000,008,468 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\mbam-log-2010-01-29 (19-57-10).zip
[2010/01/29 22:01:05 | 000,002,610 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Attach.zip
[2010/01/29 21:59:16 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\dds.scr
[2010/01/29 21:53:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\defogger_reenable
[2010/01/29 21:52:49 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Defogger.exe
[2010/01/29 20:25:25 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job
[2010/01/29 20:13:00 | 401,096,704 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/01/29 19:58:27 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\gmer.zip
[2010/01/29 19:37:04 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rebecca Cooper\Desktop\TFC.exe
[2010/01/25 21:51:19 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/25 21:51:03 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/01/25 21:51:03 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/01/25 21:49:52 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/01/23 20:13:13 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\sysReserve.ini
[2010/01/21 18:05:54 | 000,001,572 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Play Avenue Flo.lnk
[2010/01/21 18:02:45 | 000,001,578 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Game Manager.lnk
[2010/01/19 23:58:06 | 000,001,255 | ---- | M] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\JonaieResume.rtf
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/30 13:55:05 | 000,152,401 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\tdsskiller.zip
[2010/01/30 00:22:49 | 000,008,468 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\mbam-log-2010-01-29 (19-57-10).zip
[2010/01/29 22:01:05 | 000,002,610 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Attach.zip
[2010/01/29 21:59:14 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\dds.scr
[2010/01/29 21:53:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\defogger_reenable
[2010/01/29 21:52:48 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\Defogger.exe
[2010/01/29 20:25:25 | 000,000,440 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job
[2010/01/29 19:58:25 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\gmer.zip
[2010/01/29 18:26:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcufivolupufax.bin
[2010/01/29 18:26:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tlasac.dat
[2010/01/23 20:13:13 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\sysReserve.ini
[2010/01/21 18:05:54 | 000,001,572 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Play Avenue Flo.lnk
[2010/01/21 18:02:45 | 000,001,578 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Game Manager.lnk
[2010/01/19 23:58:06 | 000,001,255 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Desktop\JonaieResume.rtf
[2009/12/27 20:37:36 | 000,000,024 | ---- | C] () -- C:\WINDOWS\wivrs.ini
[2009/11/04 13:05:52 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2009/03/30 01:20:32 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Rebecca Cooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/15 06:43:50 | 000,013,765 | ---- | C] () -- C:\WINDOWS\System32\drivers\UCharger.sys
[2006/11/02 08:27:46 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SP207.ini
[2004/09/01 10:49:17 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/04 07:00:00 | 000,149,504 | ---- | C] () -- C:\WINDOWS\ureconisixe.dll
[2004/08/04 07:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2002/10/06 13:42:57 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/04 18:04:25 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2002/10/04 18:04:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/04 18:04:17 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== LOP Check ==========

[2009/04/08 22:09:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Aveyond I
[2009/04/09 08:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
[2009/08/08 20:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CasualForge
[2009/06/08 01:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\CaveDays
[2009/09/13 21:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EscapeFromParadise2
[2009/06/21 09:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EscapeTheMuseum
[2009/06/21 23:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\FreshGames
[2009/06/03 23:08:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fugazo
[2009/08/18 22:42:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GameHouse
[2010/01/11 09:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Genimo
[2010/01/20 03:37:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GoBit Games
[2009/06/21 00:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Gogii
[2009/04/20 22:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\HiddenSecretsNightmare
[2010/01/11 22:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Hot Lava Games
[2009/06/10 15:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InterAction studios
[2009/05/31 22:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin
[2009/05/31 17:10:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games
[2009/06/08 14:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ludia
[2009/04/11 17:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Mandragora
[2009/06/06 11:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Mean Hamster
[2009/11/04 13:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MumboJumbo
[2009/06/17 19:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MysteryChronicles
[2009/06/10 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MythPeople
[2009/10/19 20:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Namco
[2009/06/09 22:54:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NevoSoft Games
[2009/11/29 00:53:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
[2009/07/01 23:22:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PMB Files
[2009/04/11 17:36:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Questtracers
[2009/11/22 22:03:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sandlot Games
[2009/12/30 02:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
[2009/08/18 13:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SpecialBit
[2010/01/24 13:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/07/28 00:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\VirtualFarm
[2009/04/24 07:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildTangent
[2009/05/31 19:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildWestQuest2
[2009/04/05 19:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Aveyond II
[2009/12/28 11:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Azureus
[2009/06/06 12:49:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Balloon Express
[2009/06/21 01:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\BeachPartyCraze
[2009/12/18 10:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Big Fish Games
[2009/08/08 20:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\CasualForge
[2009/06/05 23:52:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\CupcakeCafe
[2009/06/10 20:26:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\EleFun Games
[2009/04/10 07:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\FrimaStudio
[2009/11/24 23:20:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Gaijin Ent
[2009/04/08 22:22:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Gamelab
[2009/12/30 02:51:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\GetRightToGo
[2009/06/09 00:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Home Sweet Home
[2009/06/10 00:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Home Sweet Home 2
[2009/04/11 08:53:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\ITTNord
[2009/07/28 16:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\iWin
[2009/06/08 14:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Ludia
[2009/10/09 22:56:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Magic Seeds
[2009/04/11 17:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Magus
[2009/06/06 11:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Mean Hamster
[2009/06/11 18:44:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Meridian93
[2009/10/19 20:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Namco
[2009/03/31 11:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Nexon
[2009/11/22 23:47:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Peace Craft
[2009/11/29 00:53:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\PlayFirst
[2009/04/05 21:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\ScreenSeven
[2009/06/10 16:36:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Shape games
[2009/04/25 16:30:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\SpinTop
[2009/06/08 11:42:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\SulusGames
[2009/06/11 20:40:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Super-Cow
[2009/06/09 17:51:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Teggo
[2009/06/11 21:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Turtle Odyssey II
[2009/04/10 11:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\Ubisoft
[2009/06/18 01:35:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\ViquaSoft
[2009/04/24 07:42:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\WildTangent
[2009/06/08 13:59:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\World-LooM
[2009/07/11 22:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rebecca Cooper\Application Data\YoudaGames
[2010/01/30 14:00:00 | 000,000,312 | ---- | M] () -- C:\WINDOWS\Tasks\cjtermla.job
[2010/01/29 20:25:25 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/01/07 09:34:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\RAID\drvdisk\x86\NT5\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\2K\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\drvdisk\x86\NT5\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\SRV2003\x86\viamraid.sys
[2007/07/17 12:35:20 | 000,114,944 | ---- | M] (VIA Technologies inc,.ltd) MD5=1B7B0954AF54E716F697C511D68C150E -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\XP\x86\viamraid.sys
[2007/07/12 18:35:36 | 000,118,184 | ---- | M] (VIA Technologies inc,.ltd) MD5=7352A2B1CA928AD8A95F75A1D868A0B5 -- C:\Documents and Settings\Administrator\Desktop\Winxp\RAID\drvdisk\x86\NT4\viamraid.sys
[2007/07/12 18:35:36 | 000,118,184 | ---- | M] (VIA Technologies inc,.ltd) MD5=7352A2B1CA928AD8A95F75A1D868A0B5 -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\drvdisk\x86\NT4\viamraid.sys
[2007/07/12 18:35:36 | 000,118,184 | ---- | M] (VIA Technologies inc,.ltd) MD5=7352A2B1CA928AD8A95F75A1D868A0B5 -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\NT4\viamraid.sys
[2007/07/13 13:05:28 | 000,120,832 | ---- | M] (VIA Technologies Inc.,Ltd) MD5=9E897F955AB8F912E4C1C9ADAF35762C -- C:\Documents and Settings\Administrator\Desktop\Winxp\RAID\drvdisk\VISTA\x86\viamraid.sys
[2007/07/13 13:05:28 | 000,120,832 | ---- | M] (VIA Technologies Inc.,Ltd) MD5=9E897F955AB8F912E4C1C9ADAF35762C -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\drvdisk\VISTA\x86\viamraid.sys
[2007/07/13 13:05:28 | 000,120,832 | ---- | M] (VIA Technologies Inc.,Ltd) MD5=9E897F955AB8F912E4C1C9ADAF35762C -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\VRAIDDrv\VISTA\x86\viamraid.sys

< MD5 for: VIPRT.SYS >
[2007/10/18 17:28:52 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) MD5=020EB647FEA9187541827231CB236DCE -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\SRV2003\ViPrt.sys
[2007/10/18 17:28:52 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) MD5=020EB647FEA9187541827231CB236DCE -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\W2K\ViPrt.sys
[2007/10/18 17:28:52 | 000,052,224 | ---- | M] (VIA Technologies, Inc.) MD5=020EB647FEA9187541827231CB236DCE -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\WXP\ViPrt.sys
[2007/10/19 17:03:14 | 000,053,192 | ---- | M] (VIA Technologies, Inc.) MD5=95155D0F72CE3C23C50A6E3B07BF1C71 -- C:\Documents and Settings\Administrator\Desktop\Winxp\VIA_HyperionPro_V514A\SATAIDE\VISTA\ViPrt.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E866ED4D
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:587AA004
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF09BC9E
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E2C9E369
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:71441FEF
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:64EEA19D
@Alternate Data Stream - 398 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:141BCC26
@Alternate Data Stream - 339 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:995B275C
@Alternate Data Stream - 322 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1387592D
@Alternate Data Stream - 320 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B72729D8
@Alternate Data Stream - 311 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A7FB9004
@Alternate Data Stream - 308 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:202A6D97
@Alternate Data Stream - 307 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4EDC977B
@Alternate Data Stream - 303 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:90281753
@Alternate Data Stream - 297 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:72E74C26
@Alternate Data Stream - 293 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AF3A05F
@Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8F9D810
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BDCD0530
@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:059167AF
@Alternate Data Stream - 181 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A708668B
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:07E8CA28
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7B60301F
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:03033228
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4C97EF04
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4F29F38D
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A2F5F542
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8B1249CD
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5466F106
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:68800D8A
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1FA51BA6
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB338B9
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DEDAEF90
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:38849DE5
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D20FFA63
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C0A4F645
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CD95DE0
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60D735B2
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:589743E1
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:250A84D5
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0AEAE3CC
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:741CA49D
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5425B7F5
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3DAC3B29
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:30376ACC
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB603FE4
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8E864AC
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79108DDD
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FFE4BAC7
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:93C494CA
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1B79AEF3
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F5E0AE16
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A94968B5
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:399509A6
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB170088
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C76BA037
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:703CE963
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:037C8A9E
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DAFD38AE
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:95B7F1EC
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:615435BE
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EBFD4E6F
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98C1E88D
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B6FA1F20
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0651F96C
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74B502CB
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:47BE4EDF
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F8DACDA
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D23AE9EA
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B54102AD
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:ABE89FFE
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CCDAB14
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0860D6D6
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D31BE97C
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A6253983
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A02025CE
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB56A06
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6F1F1DBC
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8E60033F
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FF818E2B
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F1DEA771
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6DD87D86
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:666FB4AA
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5D351BC6
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:46ADD59D
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F93516B
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:710F4DBF
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5C826C73
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EA983230
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:96EE29A3
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:385BC52C
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:34B9286E
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E66B6127
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D29B16C5
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:94124B85
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:51A22C60
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2B4FA895
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:91A1C0FC
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3FC4A10A
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:19F494DE
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:16B49C20
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:052E15C3
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8DB81DC
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B1EEADE7
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:898C038B
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:375FC7E7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DF0BC727
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C3B5FCD5
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC7C9796
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC0A74A1
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E5F8E280
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:669764DD
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D28EBF99
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C22674B6
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:24FECE50
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:172EB9B5
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A688EF17
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8EEDCEA2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98AE08EA
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BBF60A29
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79A70C33
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A9E9471A
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF07EA98
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:33611CFB
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5FB7A2BD
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:561B1D2B
< End of report >
  • 0

#5
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,560 posts
  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL
    O4 - HKLM..\Run: [Tnadecaguh] C:\WINDOWS\ureconisixe.DLL ()
    O4 - HKCU..\Run: [F5JMWNZTHI] C:\DOCUME~1\REBECC~1\LOCALS~1\Temp\Njg.exe File not found
    O15 - HKCU\..Trusted Domains: 5 domain(s) and sub-domain(s) not assigned to a zone.
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\kbdsock.dll c:\windows\system32\zomejuhe.dll) - C:\WINDOWS\System32\kbdsock.dll File not found
    O20 - AppInit_DLLs: (tuvikize.dll) - File not found
    O21 - SSODL: sumonapuj - {fd133537-5e84-4609-b87c-f7eb084b7b27} - C:\WINDOWS\System32\zomejuhe.dll File not found
    O22 - SharedTaskScheduler: {fd133537-5e84-4609-b87c-f7eb084b7b27} - kupuhivus - C:\WINDOWS\System32\zomejuhe.dll File not found

    :Files
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E866ED4D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:587AA004
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF09BC9E
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E2C9E369
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:71441FEF
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:64EEA19D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:141BCC26
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:995B275C
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1387592D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B72729D8
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A7FB9004
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:202A6D97
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4EDC977B
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:90281753
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:72E74C26
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AF3A05F
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8F9D810
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BDCD0530
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:059167AF
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A708668B
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:07E8CA28
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7B60301F
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:03033228
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4C97EF04
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4F29F38D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A2F5F542
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8B1249CD
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5466F106
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:68800D8A
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1FA51BA6
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB338B9
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DEDAEF90
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:38849DE5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D20FFA63
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C0A4F645
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CD95DE0
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60D735B2
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:589743E1
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:250A84D5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0AEAE3CC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:741CA49D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5425B7F5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3DAC3B29
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:30376ACC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB603FE4
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8E864AC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79108DDD
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FFE4BAC7
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:93C494CA
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1B79AEF3
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F5E0AE16
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A94968B5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:399509A6
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB170088
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C76BA037
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:703CE963
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:037C8A9E
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DAFD38AE
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:95B7F1EC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:615435BE
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EBFD4E6F
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98C1E88D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B6FA1F20
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0651F96C
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74B502CB
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:47BE4EDF
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F8DACDA
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D23AE9EA
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B54102AD
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:ABE89FFE
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CCDAB14
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0860D6D6
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D31BE97C
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A6253983
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A02025CE
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB56A06
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6F1F1DBC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8E60033F
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FF818E2B
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F1DEA771
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6DD87D86
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:666FB4AA
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5D351BC6
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:46ADD59D
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F93516B
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:710F4DBF
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5C826C73
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EA983230
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:96EE29A3
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:385BC52C
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:34B9286E
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E66B6127
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D29B16C5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:94124B85
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:51A22C60
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2B4FA895
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:91A1C0FC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3FC4A10A
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:19F494DE
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:16B49C20
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:052E15C3
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8DB81DC
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B1EEADE7
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:898C038B
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:375FC7E7
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DF0BC727
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C3B5FCD5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC7C9796
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC0A74A1
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E5F8E280
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:669764DD
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D28EBF99
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C22674B6
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:24FECE50
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:172EB9B5
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A688EF17
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8EEDCEA2
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98AE08EA
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BBF60A29
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79A70C33
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A9E9471A
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF07EA98
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:33611CFB
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5FB7A2BD
    @C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:561B1D2B
    C:\WINDOWS\Tasks\cjtermla.job
    C:\WINDOWS\ureconisixe.DLL
    C:\Documents and Settings\Rebecca Cooper\Desktop\tdsskiller.zip
    C:\WINDOWS\Jcufivolupufax.bin
    C:\WINDOWS\Tlasac.dat
    [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

    :Commands
    [Reboot]

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#6
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Tnadecaguh deleted successfully.
C:\WINDOWS\ureconisixe.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\F5JMWNZTHI deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\kbdsock.dll c:\windows\system32\zomejuhe.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:tuvikize.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\sumonapuj deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fd133537-5e84-4609-b87c-f7eb084b7b27}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{fd133537-5e84-4609-b87c-f7eb084b7b27} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fd133537-5e84-4609-b87c-f7eb084b7b27}\ not found.
========== FILES ==========
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E866ED4D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:587AA004 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF09BC9E deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E2C9E369 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:71441FEF deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:64EEA19D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:141BCC26 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:995B275C deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1387592D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B72729D8 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A7FB9004 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:202A6D97 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4EDC977B deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:90281753 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:72E74C26 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AF3A05F deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8F9D810 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BDCD0530 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:059167AF deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A708668B deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:07E8CA28 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7B60301F deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:03033228 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4C97EF04 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4F29F38D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A2F5F542 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8B1249CD deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5466F106 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:68800D8A deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1FA51BA6 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB338B9 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DEDAEF90 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:38849DE5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D20FFA63 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C0A4F645 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CD95DE0 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60D735B2 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:589743E1 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:250A84D5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0AEAE3CC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:741CA49D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5425B7F5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3DAC3B29 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:30376ACC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB603FE4 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8E864AC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79108DDD deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FFE4BAC7 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:93C494CA deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:1B79AEF3 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F5E0AE16 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A94968B5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:399509A6 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EB170088 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C76BA037 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:703CE963 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:037C8A9E deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DAFD38AE deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:95B7F1EC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:615435BE deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EBFD4E6F deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98C1E88D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B6FA1F20 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0651F96C deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74B502CB deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:47BE4EDF deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F8DACDA deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D23AE9EA deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B54102AD deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:ABE89FFE deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8CCDAB14 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0860D6D6 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D31BE97C deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A6253983 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A02025CE deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:9AB56A06 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6F1F1DBC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8E60033F deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:FF818E2B deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:F1DEA771 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:6DD87D86 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:666FB4AA deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5D351BC6 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:46ADD59D deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2F93516B deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:710F4DBF deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5C826C73 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EA983230 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:96EE29A3 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:385BC52C deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:34B9286E deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E66B6127 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D29B16C5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:94124B85 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:51A22C60 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:2B4FA895 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:91A1C0FC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3FC4A10A deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:19F494DE deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:16B49C20 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:052E15C3 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D8DB81DC deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:B1EEADE7 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:898C038B deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:375FC7E7 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DF0BC727 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C3B5FCD5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC7C9796 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:EC0A74A1 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:E5F8E280 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:669764DD deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D28EBF99 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C22674B6 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:24FECE50 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:172EB9B5 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A688EF17 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:8EEDCEA2 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:98AE08EA deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BBF60A29 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:79A70C33 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A9E9471A deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:BF07EA98 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:33611CFB deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5FB7A2BD deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:561B1D2B deleted successfully.
C:\WINDOWS\Tasks\cjtermla.job moved successfully.
File\Folder C:\WINDOWS\ureconisixe.DLL not found.
C:\Documents and Settings\Rebecca Cooper\Desktop\tdsskiller.zip moved successfully.
C:\WINDOWS\Jcufivolupufax.bin moved successfully.
C:\WINDOWS\Tlasac.dat moved successfully.
File\Folder [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ] not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.1.27.1 log created on 01302010_164725



Shutting down browswer to run combofix now. Log will be posted in next reply.
  • 0

#7
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
ComboFix 10-01-29.09 - Rebecca Cooper 01/30/2010 17:04:44.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.130 [GMT -5:00]
Running from: c:\documents and settings\Rebecca Cooper\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINSTS


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.

2010-01-30 21:47 . 2010-01-30 21:47 -------- d-----w- C:\_OTL
2010-01-26 23:12 . 2010-01-27 02:58 -------- d-----w- c:\documents and settings\Rebecca Cooper\Local Settings\Application Data\Yahoo!
2010-01-21 23:05 . 2010-01-21 23:09 -------- d-----w- c:\program files\Avenue Flo
2010-01-16 16:45 . 2010-01-16 16:45 -------- d-----w- c:\documents and settings\Rebecca Cooper\Local Settings\Application Data\Deployment
2010-01-12 19:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 03:33 . 2010-01-12 03:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hot Lava Games
2010-01-11 13:43 . 2010-01-11 14:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Genimo
2010-01-05 20:07 . 2004-08-04 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2010-01-05 20:07 . 2004-08-04 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2010-01-05 20:06 . 2009-07-31 15:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-05 20:06 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-05 20:05 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-05 20:04 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-01-04 17:39 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-04 17:39 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-04 17:39 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-04 17:38 . 2010-01-04 17:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-01-03 04:25 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 04:25 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 03:38 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-03 03:34 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-01-03 03:34 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-03 03:34 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-03 03:34 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-03 03:34 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-03 03:34 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-03 03:34 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-03 03:34 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-03 03:34 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-03 03:33 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-03 03:33 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-03 03:33 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-03 03:33 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-03 03:32 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-03 03:32 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-03 03:30 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-03 03:28 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-03 03:28 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-03 03:28 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-03 03:28 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-03 03:28 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-03 03:27 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-03 03:27 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-03 03:27 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-03 03:27 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-02 03:46 . 2004-08-04 12:00 101376 -c--a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-01-02 03:45 . 2004-08-04 12:00 9216 -c--a-w- c:\windows\system32\dllcache\kbdnecat.dll
2010-01-02 03:44 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-01-02 03:44 . 2001-08-18 03:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-01-02 03:34 . 2001-08-17 17:13 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys
2010-01-02 03:31 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-02 03:31 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-02 03:31 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-02 03:31 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 21:49 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-30 20:54 . 2009-12-30 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 23:40 . 2009-09-20 01:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-01-27 14:02 . 2010-01-27 14:02 1956528 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-01-27 02:58 . 2009-03-31 00:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-24 18:03 . 2009-03-30 07:04 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-01-23 08:31 . 2009-04-09 04:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BigFishGamesCache
2010-01-21 23:02 . 2009-04-09 04:06 -------- d-----w- c:\program files\bfgclient
2010-01-20 08:37 . 2009-11-23 05:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\GoBit Games
2010-01-12 06:10 . 2009-03-30 06:49 -------- d-----w- c:\program files\MSN Games
2010-01-12 02:58 . 2010-01-12 02:58 5115824 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 02:56 . 2009-08-19 05:12 -------- d-----w- c:\program files\Oberon Media
2010-01-11 13:43 . 2010-01-11 13:43 1212416 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Genimo\WebGames\BigFishGames\ButterflyEscape\ButterflyEscape.dll
2010-01-02 03:42 . 2009-03-30 04:32 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-30 18:42 . 2009-12-30 18:42 -------- d-----w- c:\program files\Alwil Software
2009-12-30 18:15 . 2009-12-30 18:15 -------- d-----w- c:\program files\ACW
2009-12-30 08:30 . 2009-12-30 07:52 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-30 08:30 . 2009-12-30 07:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-12-30 07:51 . 2009-12-30 07:49 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\GetRightToGo
2009-12-30 07:19 . 2009-05-23 16:31 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\Move Networks
2009-12-30 07:11 . 2009-12-30 06:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2009-12-30 06:36 . 2009-12-30 06:35 992 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-30 06:21 . 2009-12-30 06:21 -------- d-----w- c:\program files\Common Files\iS3
2009-12-28 16:46 . 2009-04-09 13:16 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\Azureus
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 17:20 . 2009-04-09 12:46 -------- d-----w- c:\program files\Vuze
2009-12-18 16:14 . 2009-12-18 15:15 -------- d-----w- c:\program files\Mystery Case Files - Dire Grove
2009-12-18 15:17 . 2009-12-18 15:17 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\Big Fish Games
2009-12-08 11:00 . 2009-03-31 04:01 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-26 00:45 . 2009-11-26 00:45 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-24 00:10 . 2009-11-24 00:10 249856 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst\Games\components\pfMultiplayer.dll
2009-11-24 00:10 . 2009-11-24 00:10 466944 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst\Games\pfHarness\pfHarness.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-06-01 09:37 . 2007-06-01 09:37 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA Games\\American McGee's Alice Demo\\alice.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59074:TCP"= 59074:TCP:Pando Media Booster
"59074:UDP"= 59074:UDP:Pando Media Booster
"57930:TCP"= 57930:TCP:Pando Media Booster
"57930:UDP"= 57930:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/4/2010 12:39 PM 108289]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S0 tkqti;tkqti; [x]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [5/15/2007 6:43 AM 13765]
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: {3AB791B3-C287-41A3-97A2-9590EC30B539} = 93.188.162.14,93.188.166.53
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://games.bigfishgames.com/en_dairy-dash-game/online/DairyDashWeb.1.0.0.15.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {1CDFA4E8-3396-439D-8C9D-AD0E32DE94B6} - hxxp://www.arcadetown.com/swf/tastyplanet.1.0.0.4.cab
DPF: {8ADC4409-4FBF-4224-B73F-2392C721BCB4} - hxxp://games.bigfishgames.com/en_butterflyescape/online/GenimoWebGamesControl.cab
FF - ProfilePath - c:\documents and settings\Rebecca Cooper\Application Data\Mozilla\Firefox\Profiles\im81q534.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
Toolbar-Locked - (no file)
HKLM-Run-Tnadecaguh - c:\windows\ureconisixe.dll
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 17:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-01-30 17:20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 22:20

Pre-Run: 97,393,926,144 bytes free
Post-Run: 97,306,136,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2674BF96B002C89CB857260C2A41FC70
  • 0

#8
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,560 posts
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-

Driver::
tkqti
TfFsMon
TfSysMon
TfNetMon


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Posted Image Download GMER Rootkit Scanner - Download - Homepage
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe.
  • No need to scan. Just wait until the initial scan if finished.
  • Once done click on the Rootkit tab, then on the[Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please copy and paste the contents of that report in your next reply.
  • 0

#9
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Opened gmer did not click scan, just went to rootkt/save and there is nothing in the report. It is completely blank.

Additionally, now I am experiencing random popups and ie crashes/freezes where I was only getting redirects.

Could this have anything to do with mbam's update from 7 Jan? That is the last known update showing in mbam and it is also the last time my antivir ran an automatic scan.

ComboFix 10-01-29.09 - Rebecca Cooper 01/30/2010 19:28:43.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.163 [GMT -5:00]
Running from: c:\documents and settings\Rebecca Cooper\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rebecca Cooper\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-30 21:47 . 2010-01-30 21:47 -------- d-----w- C:\_OTL
2010-01-27 14:02 . 2010-01-27 14:02 1956528 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-01-26 23:12 . 2010-01-27 02:58 -------- d-----w- c:\documents and settings\Rebecca Cooper\Local Settings\Application Data\Yahoo!
2010-01-21 23:05 . 2010-01-21 23:09 -------- d-----w- c:\program files\Avenue Flo
2010-01-16 16:45 . 2010-01-16 16:45 -------- d-----w- c:\documents and settings\Rebecca Cooper\Local Settings\Application Data\Deployment
2010-01-12 19:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 03:33 . 2010-01-12 03:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hot Lava Games
2010-01-12 02:58 . 2010-01-12 02:58 5115824 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 13:43 . 2010-01-11 13:43 1212416 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Genimo\WebGames\BigFishGames\ButterflyEscape\ButterflyEscape.dll
2010-01-11 13:43 . 2010-01-11 14:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Genimo
2010-01-05 20:07 . 2004-08-04 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2010-01-05 20:07 . 2004-08-04 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2010-01-05 20:06 . 2009-07-31 15:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-05 20:06 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-05 20:05 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-05 20:04 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-01-04 17:39 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-04 17:39 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-04 17:39 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-04 17:38 . 2010-01-04 17:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-01-03 04:25 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 04:25 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 03:38 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-03 03:34 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-01-03 03:34 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-03 03:34 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-03 03:34 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-03 03:34 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-03 03:34 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-03 03:34 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-03 03:34 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-03 03:34 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-03 03:33 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-03 03:33 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-03 03:33 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-03 03:33 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-03 03:32 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-03 03:32 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-03 03:30 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-03 03:28 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-03 03:28 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-03 03:28 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-03 03:28 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-03 03:28 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-03 03:27 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-03 03:27 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-03 03:27 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-03 03:27 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-02 03:46 . 2004-08-04 12:00 101376 -c--a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-01-02 03:45 . 2004-08-04 12:00 9216 -c--a-w- c:\windows\system32\dllcache\kbdnecat.dll
2010-01-02 03:44 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-01-02 03:44 . 2001-08-18 03:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-01-02 03:34 . 2001-08-17 17:13 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys
2010-01-02 03:31 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-02 03:31 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-02 03:31 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-02 03:31 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 21:49 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-30 20:54 . 2009-12-30 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 23:40 . 2009-09-20 01:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-01-27 02:58 . 2009-03-31 00:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-24 18:03 . 2009-03-30 07:04 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-01-23 08:31 . 2009-04-09 04:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BigFishGamesCache
2010-01-21 23:02 . 2009-04-09 04:06 -------- d-----w- c:\program files\bfgclient
2010-01-20 08:37 . 2009-11-23 05:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\GoBit Games
2010-01-12 06:10 . 2009-03-30 06:49 -------- d-----w- c:\program files\MSN Games
2010-01-12 02:56 . 2009-08-19 05:12 -------- d-----w- c:\program files\Oberon Media
2010-01-02 03:42 . 2009-03-30 04:32 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-30 18:42 . 2009-12-30 18:42 -------- d-----w- c:\program files\Alwil Software
2009-12-30 18:15 . 2009-12-30 18:15 -------- d-----w- c:\program files\ACW
2009-12-30 08:30 . 2009-12-30 07:52 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-30 08:30 . 2009-12-30 07:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-12-30 07:51 . 2009-12-30 07:49 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\GetRightToGo
2009-12-30 07:19 . 2009-05-23 16:31 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\Move Networks
2009-12-30 07:11 . 2009-12-30 06:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2009-12-30 06:36 . 2009-12-30 06:35 992 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-12-30 06:21 . 2009-12-30 06:21 -------- d-----w- c:\program files\Common Files\iS3
2009-12-28 16:46 . 2009-04-09 13:16 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\Azureus
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-18 17:20 . 2009-04-09 12:46 -------- d-----w- c:\program files\Vuze
2009-12-18 16:14 . 2009-12-18 15:15 -------- d-----w- c:\program files\Mystery Case Files - Dire Grove
2009-12-18 15:17 . 2009-12-18 15:17 -------- d-----w- c:\documents and settings\Rebecca Cooper\Application Data\Big Fish Games
2009-12-08 11:00 . 2009-03-31 04:01 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-26 00:45 . 2009-11-26 00:45 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-24 00:10 . 2009-11-24 00:10 249856 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst\Games\components\pfMultiplayer.dll
2009-11-24 00:10 . 2009-11-24 00:10 466944 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst\Games\pfHarness\pfHarness.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-06-01 09:37 . 2007-06-01 09:37 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\EA Games\\American McGee's Alice Demo\\alice.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59074:TCP"= 59074:TCP:Pando Media Booster
"59074:UDP"= 59074:UDP:Pando Media Booster
"57930:TCP"= 57930:TCP:Pando Media Booster
"57930:UDP"= 57930:UDP:Pando Media Booster

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/4/2010 12:39 PM 108289]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [5/15/2007 6:43 AM 13765]
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\User_Feed_Synchronization-{EC79BCE9-184A-4DA4-9F19-ABE785C004AC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: {3AB791B3-C287-41A3-97A2-9590EC30B539} = 93.188.162.14,93.188.166.53
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://games.bigfishgames.com/en_dairy-dash-game/online/DairyDashWeb.1.0.0.15.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab
DPF: {1CDFA4E8-3396-439D-8C9D-AD0E32DE94B6} - hxxp://www.arcadetown.com/swf/tastyplanet.1.0.0.4.cab
DPF: {8ADC4409-4FBF-4224-B73F-2392C721BCB4} - hxxp://games.bigfishgames.com/en_butterflyescape/online/GenimoWebGamesControl.cab
FF - ProfilePath - c:\documents and settings\Rebecca Cooper\Application Data\Mozilla\Firefox\Profiles\im81q534.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 19:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-30 19:38:47
ComboFix-quarantined-files.txt 2010-01-31 00:38
ComboFix2.txt 2010-01-30 23:25
ComboFix3.txt 2010-01-30 22:20

Pre-Run: 97,264,058,368 bytes free
Post-Run: 97,226,248,192 bytes free

- - End Of File - - 7AC7B5B6078B240D1E68334494C9E83B


Please feel free to disregard my moment of complete idiocy in posting an OTL log here.

Also still cannot open malwarebytes.org on infected machine.

Edited by serpntene, 30 January 2010 - 06:42 PM.

  • 0

#10
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,560 posts
First go to Start -> Run, type CMD and click OK. At the prompt copy and paste the following and press Enter after each line:

extrac32 /L %systemdrive%\ "C:\WINDOWS\Driver Cache\i386\sp3.cab" atapi.sys
Exit


Next, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

Advertisements


#11
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:01 on 30/01/2010 by Rebecca Cooper (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [14:35 07/01/2010] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:19 30/01/2010] [21:49 30/01/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [20:03 05/01/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 04/08/2004] [21:49 30/01/2010] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-
  • 0

#12
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,560 posts
Did you run the Extrac32 command first?
  • 0

#13
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Yes I ran it, but nothing happened. Shall I try again?
  • 0

#14
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,560 posts
Yes, please. All copies in the report seem modified.
  • 0

#15
serpntene

serpntene

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:25 on 30/01/2010 by Rebecca Cooper (Administrator - Elevation successful)
I must have done it wrong in cmd the first time.

========== filefind ==========

Searching for "atapi.sys"
C:\atapi.sys ------ 96512 bytes [03:24 31/01/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [14:35 07/01/2010] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:19 30/01/2010] [21:49 30/01/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [20:03 05/01/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 04/08/2004] [21:49 30/01/2010] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP