Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Update not working and Search Engine hijacked [Solved]

Started by Babine , Apr 04 2010 05:55 PM

  • This topic is locked This topic is locked

#31
Babine
Posted 11 April 2010 - 06:48 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hello,

I have run the scan twice, unfortunately, both times my computer was rebooted. But the second time, I finished the scan, and I was actually saving the log, but the computer just froze, so Im going to try one more time to see if I can get any results. Once the scan is done, the program is really slow, as well as saving.
  • 0

Advertisements

#32
emeraldnzl
Posted 11 April 2010 - 07:08 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
When you try again, try unchecking the "Files" box. Might help. :)
  • 0

#33
Babine
Posted 11 April 2010 - 07:25 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 18:24:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Henry\LOCALS~1\Temp\fwrcipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xA8D87464]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA8DF6C56]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA8F2E630]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA8F27D80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA8DF6B12]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA8F2EE40]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xA8D8749E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA8F2EFB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA8F28C60]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xA8D87290]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xA8D87302]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA8DF66E8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA8F4E080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA8F4E2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA8F28750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA8DF6BEC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xA8D877B2]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xA8D8768E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xA8D8752A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA8DF6D0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA8DF7194]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA8F4EA40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA8F2E180]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA8DF6CCC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xA8D87426]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA8F29080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA8F4F8E0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xA8D8738E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xA8D878E6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xA8D875AE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xA8D875E6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA8E0345C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes CALL 16F924E7
PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP A8E03460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC520 5 Bytes JMP A8DFF4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FA4 5 Bytes JMP A8E00972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xBA5D2C14]

---- User code sections - GMER 1.0.15 ----

.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0073000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0075000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0069000C
.text C:\WINDOWS\System32\svchost.exe[868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[868] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[868] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[868] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 018C000A
.text C:\WINDOWS\System32\svchost.exe[868] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0189000A
.text C:\WINDOWS\Explorer.EXE[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A470AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
  • 0

#34
Babine
Posted 11 April 2010 - 07:26 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
So the scan worked this time, and I didn't have to uncheck the files.
  • 0

#35
emeraldnzl
Posted 11 April 2010 - 07:43 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

So the scan worked this time, and I didn't have to uncheck the files.


Well done. :)

I think we have found our culprit.

  • Double click on the OTL icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


    /md5start
    RDPCDD.sys
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.
  • 0

#36
Babine
Posted 11 April 2010 - 07:52 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I finished the can, and only the OTL.Txt appeared, and the Extras.Txt wasn't in the OTL folder either. But here is the OTL.txt as follows

OTL logfile created on: 4/11/2010 6:46:44 PM - Run 7
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Henry\Desktop\New Folder (3)
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 275.70 Gb Free Space | 92.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HENRYLAU
Current User Name: Henry
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\New Folder (3)\OTL.exe
PRC - [2010/04/02 14:13:41 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/09 03:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/10/26 21:42:42 | 000,718,232 | ---- | M] (Pelmorex Media Inc.) -- C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\New Folder (3)\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/22 15:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Stopped] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Driver Services (SafeList) ==========

DRV - [2010/04/01 22:59:39 | 000,050,376 | ---- | M] (Prevx) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\pxrts.sys -- (pxrts)
DRV - [2010/03/09 03:12:54 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/03/09 03:12:33 | 000,162,640 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/03/09 03:09:08 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/03/09 03:08:41 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/03/09 03:08:30 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/03/09 03:08:15 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/11/22 15:42:54 | 000,486,280 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/03/25 08:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdm.sys -- (s1018mdm)
DRV - [2009/03/25 08:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018unic.sys -- (s1018unic) Sony Ericsson Device 1018 USB Ethernet Emulation (WDM)
DRV - [2009/03/25 08:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mgmt.sys -- (s1018mgmt) Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM)
DRV - [2009/03/25 08:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018obex.sys -- (s1018obex)
DRV - [2009/03/25 08:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018bus.sys -- (s1018bus) Sony Ericsson Device 1018 driver (WDM)
DRV - [2009/03/25 08:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018nd5.sys -- (s1018nd5) Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS)
DRV - [2009/03/25 08:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV - [2009/02/03 05:12:19 | 000,014,656 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008/04/14 05:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/14 02:04:06 | 004,676,096 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/03 07:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/08/23 20:22:56 | 005,776,928 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/17 14:05:16 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OVCD.sys -- (QCDonner)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.eset.com/online-scanner#
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.startup.homepage: "www.sympatico.msn.ca"
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.4.7amo
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.76
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {d8c77b75-d01d-cd98-1b00-c1fb57b20e1e}:4.6.6.6
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions
[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions\[email protected]
[2010/04/10 21:30:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions
[2009/09/02 07:44:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/03 19:44:27 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/04/03 19:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\[email protected]
[2010/04/03 19:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\SkipScreen@SkipScreen
[2009/11/12 18:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Sunbird\Profiles\srg3s7iq.default\extensions
[2010/04/10 21:30:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/06 15:38:47 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{d8c77b75-d01d-cd98-1b00-c1fb57b20e1e}
[2010/04/11 18:40:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/04/03 23:06:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]

O1 HOSTS File: ([2010/04/02 15:53:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [WeatherEye] C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.90 64.59.144.91
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/03 04:50:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/11 11:02:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\gmer
[2010/04/11 00:37:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\FileLister
[2010/04/10 22:50:20 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/10 22:49:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/10 16:07:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\frkbpvnxn
[2010/04/10 09:29:39 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/04/10 09:28:25 | 000,510,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTM.exe
[2010/04/08 19:10:20 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\atapi.sys
[2010/04/08 19:10:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/08 19:07:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\GooredFix Backups
[2010/04/08 18:59:54 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Henry\Desktop\GooredFix.exe
[2010/04/07 16:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\New Folder (3)
[2010/04/07 11:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 11:15:46 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tsk27.svs
[2010/04/04 22:11:02 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/04/04 17:53:50 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Henry\Desktop\TDSSKiller.exe
[2010/04/04 11:10:59 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/04 11:10:58 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/04 11:10:57 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/04 11:10:56 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/04 11:10:55 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/04 11:10:55 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/04 11:10:54 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/04 11:10:46 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/04 11:10:46 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/04 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/03 23:31:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\ForceField Shared Files
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/04/03 23:00:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/03 23:00:49 | 000,058,248 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2010/04/03 23:00:48 | 000,103,816 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2010/04/03 23:00:48 | 000,069,000 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2010/04/03 23:00:44 | 001,238,408 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2010/04/03 23:00:44 | 000,299,912 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2010/04/03 23:00:44 | 000,109,960 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2010/04/03 23:00:44 | 000,107,912 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2010/04/03 23:00:44 | 000,041,864 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2010/04/03 23:00:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/03 23:00:43 | 000,486,280 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2010/04/03 23:00:43 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/03 23:00:16 | 000,621,960 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2010/04/03 23:00:16 | 000,227,720 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2010/04/03 23:00:16 | 000,112,008 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2010/04/03 23:00:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/03 22:59:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Anti-Virus
[2010/04/03 22:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\Simply Super Software
[2010/04/03 22:55:46 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/04/03 22:43:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/03 22:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid_Inc
[2010/04/03 22:03:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\MozillaControl
[2010/04/03 22:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid
[2010/04/03 22:01:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla ActiveX Control v1.7.12
[2010/04/03 21:58:55 | 000,000,000 | ---D | C] -- C:\Program Files\Graboid
[2010/04/03 20:31:02 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/04/03 17:21:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/04/03 17:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/02 18:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\iklphushm
[2010/04/02 15:52:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/02 15:21:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/02 15:17:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/02 15:17:05 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/02 15:17:05 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/02 15:17:05 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/02 15:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/02 15:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/02 15:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/02 15:06:39 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/04/02 15:06:29 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/02 15:06:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/02 15:06:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/02 15:06:29 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/02 15:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qsexfthui
[2010/04/02 14:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/02 13:36:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 13:36:38 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 13:36:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/01 23:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\ESET
[2010/04/01 22:59:39 | 000,050,376 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/04/01 22:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/04/01 21:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/01 21:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2010/04/01 20:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 18:57:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\WMTools Downloaded Files
[2010/04/01 18:47:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2010/04/01 18:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Soft Product
[2010/03/31 21:17:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/31 20:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/31 20:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/31 19:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/31 18:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 17:39:54 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/30 17:37:38 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/30 17:35:45 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/03/18 17:07:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\New Folder (2)
[2010/03/17 21:53:42 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/02/12 18:19:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/28 14:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/03 04:50:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/11 18:46:16 | 004,718,592 | ---- | M] () -- C:\Documents and Settings\Henry\ntuser.dat
[2010/04/11 18:45:47 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V4.doc
[2010/04/11 18:33:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/11 18:33:09 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/11 18:33:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/11 11:02:25 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\gmer.zip
[2010/04/11 00:45:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Henry\ntuser.ini
[2010/04/11 00:37:23 | 000,020,359 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\FileLister.zip
[2010/04/10 23:35:11 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/10 22:48:32 | 003,911,676 | R--- | M] () -- C:\Documents and Settings\Henry\Desktop\ComboFix.exe
[2010/04/10 09:28:23 | 000,510,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTM.exe
[2010/04/09 16:47:16 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpcdd.sys
[2010/04/09 14:52:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/08 19:17:22 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\SystemLook.exe
[2010/04/08 18:59:52 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Henry\Desktop\GooredFix.exe
[2010/04/06 23:57:12 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Eco Journal.doc
[2010/04/06 23:16:32 | 000,140,343 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Hot stuff.JPG
[2010/04/06 19:43:17 | 000,012,937 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V3.docx
[2010/04/06 15:39:35 | 000,489,296 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/06 15:38:47 | 000,096,704 | ---- | M] () -- C:\WINDOWS\System32\6f685ed4.exe
[2010/04/05 23:51:44 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Physics Lab.doc
[2010/04/05 20:53:03 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\French Project.doc
[2010/04/05 18:23:36 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\The Book of Negroes.doc
[2010/04/05 16:26:41 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V2.doc
[2010/04/05 11:15:46 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tsk27.svs
[2010/04/04 23:06:13 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V1.doc
[2010/04/04 22:01:17 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/04 20:49:05 | 000,013,676 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\VHx0W
[2010/04/04 20:49:05 | 000,013,676 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/04 19:58:05 | 000,056,916 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/04 11:10:55 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/03 23:02:21 | 004,839,310 | -H-- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\IconCache.db
[2010/04/03 23:01:25 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 23:00:49 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 22:18:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 22:01:29 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 16:40:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:53:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/02 15:21:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/02 15:06:11 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/02 15:06:11 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/02 15:06:11 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/02 15:06:11 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/02 15:06:11 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/02 13:12:29 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 12:54:11 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rundll32.exe
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 11:25:03 | 000,182,784 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/01 22:59:39 | 000,050,376 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/03/31 23:07:29 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:37:54 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 15:31:51 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[2010/03/22 21:38:26 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Henry\Desktop\TDSSKiller.exe
[2010/03/21 22:50:37 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\A Green Paradise.doc
[2010/03/21 21:25:09 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\March 21.doc
[2010/03/21 20:19:14 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C5V4.doc
[2010/03/20 23:14:43 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C5V3.doc
[2010/03/20 20:33:35 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C5V2.doc
[2010/03/18 22:31:21 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C5V1.doc
[2010/03/17 21:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/03/17 20:29:38 | 002,057,216 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\CNapprenticeship.doc
[2010/03/14 17:15:25 | 000,792,064 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\DONATION LETTER FOR OG.doc
[2010/03/14 10:54:15 | 000,582,084 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 10:54:15 | 000,484,370 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 10:54:15 | 000,087,162 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 11:02:25 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\gmer.zip
[2010/04/11 00:37:26 | 000,020,359 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\FileLister.zip
[2010/04/11 00:23:15 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V4.doc
[2010/04/10 22:47:54 | 003,911,676 | R--- | C] () -- C:\Documents and Settings\Henry\Desktop\ComboFix.exe
[2010/04/08 19:17:24 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\SystemLook.exe
[2010/04/06 23:57:12 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Eco Journal.doc
[2010/04/06 19:14:59 | 000,012,937 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V3.docx
[2010/04/06 18:32:44 | 000,140,343 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Hot stuff.JPG
[2010/04/06 15:38:47 | 000,096,704 | ---- | C] () -- C:\WINDOWS\System32\6f685ed4.exe
[2010/04/05 23:51:44 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Physics Lab.doc
[2010/04/05 20:53:03 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\French Project.doc
[2010/04/05 11:42:42 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V2.doc
[2010/04/04 22:10:24 | 000,489,296 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/04 22:09:07 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V1.doc
[2010/04/04 20:47:10 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\VHx0W
[2010/04/04 20:47:10 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/03 23:00:49 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 23:00:43 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 22:55:46 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/04/03 22:55:46 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/04/03 22:01:29 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 22:37:00 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/02 16:40:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:21:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/02 15:21:16 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/02 15:17:05 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/02 15:17:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/02 15:17:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/02 15:17:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/02 11:25:03 | 000,182,784 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/31 21:03:41 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:40:31 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/30 17:37:54 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/28 18:18:59 | 003,482,145 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\New Radicals - Someday We'll Know.mp3
[2010/03/28 15:31:50 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[2010/03/21 22:50:37 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\A Green Paradise.doc
[2010/03/21 21:25:08 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\March 21.doc
[2010/03/21 20:17:13 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C5V4.doc
[2010/03/20 23:14:43 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C5V3.doc
[2010/03/20 16:36:49 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C5V2.doc
[2010/03/18 22:31:20 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C5V1.doc
[2010/03/17 20:29:37 | 002,057,216 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\CNapprenticeship.doc
[2010/03/14 16:57:36 | 000,792,064 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\DONATION LETTER FOR OG.doc
[2010/02/21 22:53:25 | 000,000,327 | ---- | C] () -- C:\Documents and Settings\Henry\mbr.log
[2010/02/21 22:10:25 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/01 14:12:31 | 000,012,686 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\u1ly73
[2009/12/15 17:13:21 | 000,012,098 | ---- | C] () -- C:\Documents and Settings\Henry\hs_err_pid3928.log
[2009/12/11 02:37:56 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\crash_report.dll
[2009/09/22 10:57:45 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/22 22:33:01 | 004,718,592 | ---- | C] () -- C:\Documents and Settings\Henry\ntuser.dat
[2009/08/22 20:45:40 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\FASTWiz.log
[2009/08/22 18:49:27 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/21 21:13:00 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Henry\ntuser.dat.LOG
[2009/08/21 21:13:00 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Henry\ntuser.ini
[2009/08/21 21:12:49 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2009/08/21 21:12:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2009/08/19 18:23:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/03 05:13:31 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2009/02/03 05:09:03 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/01/21 11:53:37 | 000,001,466 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========



< MD5 for: RDPCDD.SYS >
[2010/04/09 16:47:16 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=4912D5B403614CE99C28420F75353332 -- C:\WINDOWS\system32\dllcache\rdpcdd.sys
[2010/04/09 16:47:16 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=4912D5B403614CE99C28420F75353332 -- C:\WINDOWS\system32\drivers\rdpcdd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C35AEA7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

#37
emeraldnzl
Posted 11 April 2010 - 08:03 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Babine,

Please run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C35AEA7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

:Files
C:\WINDOWS\system32\drivers\rdpcdd.sys|C:\WINDOWS\system32\dllcache\rdpcdd.sys /replace

:Commands
[emptyflash]
[emptytemp]
[resethosts]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

  • 0

#38
Babine
Posted 11 April 2010 - 08:20 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
All processes killed
========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8C35AEA7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
========== FILES ==========
File C:\WINDOWS\system32\drivers\rdpcdd.sys successfully replaced with C:\WINDOWS\system32\dllcache\rdpcdd.sys
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default User

User: Henry
->Flash cache emptied: 3490 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 1853 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Henry
->Temp folder emptied: 929405 bytes
->Temporary Internet Files folder emptied: 33218 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 73743110 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 81920 bytes
->Temporary Internet Files folder emptied: 3984952 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 81920 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 11962 bytes

Total Files Cleaned = 75.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.0 log created on 04112010_190554

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_6c4.dat not found!

Registry entries deleted on Reboot...
  • 0

#39
emeraldnzl
Posted 11 April 2010 - 08:40 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Babine,

There are at least two different versions of this variant... maybe more. In one version it can be cured by doing what we have just done. In another it is much harder. We don't know until we test things which we have.

What I need you to do now is attempt to run ComboFix again. Also tell me if there has been any change with the redirects.

Now

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#40
Babine
Posted 11 April 2010 - 08:47 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hello emeraldznl

Before I run Combofix again, I would like to tell you that the redirects are no longer taking place! Thank you so much for your help so far.
  • 0

Advertisements

#41
emeraldnzl
Posted 11 April 2010 - 08:53 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Outstanding. :)

Let's just make sure though, might be some corruption left behind. :)

That is... give the ComboFix one a try.

Edited by emeraldnzl, 11 April 2010 - 08:54 PM.
To add the combofix instruction

  • 0

#42
Babine
Posted 11 April 2010 - 09:08 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
It appears you were right to be cautious, as the ComboFix doesn't fully run because when the scan begins, the computer restarts.

As well, the typing of 'windows update' together still seems to be forbidden as I still get "Page cannot be displayed"

Edited by Babine, 11 April 2010 - 09:31 PM.

  • 0

#43
emeraldnzl
Posted 11 April 2010 - 10:02 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Babine,

These instructions assume that when you first used ComboFix the Recovery Console was installed on your machine. If you find it is not then tell me and also tell me if you have your computers Windows CD.

For this fix we need to run a batch script.
  • Copy the following into a notepad (you can open notepad by going to Start > Run and typing notepad and hitting enter)

    [B]@Echo Off
copy /y C:\WINDOWS\system32\dllcache\rdpcdd.sys c:\
del %0[/B]

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat.
  • Hit OK.
Double click on fix.bat to run it. If you are using Windows Vista, right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal. The .bat file will self delete upon completion of copying a file.

The above script was written specifically for this infection on this person's computer. It should NOT to be used on another computer, as it may cause serious damage causing the computer to become unusable.

Check that there is now a file called: rdpcdd.sys in the root of your C:\ drive. If so, please continue with the instructions below, if not, tell me.

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.

Posted Image

3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

cd C:\WINDOWS\system32\drivers
ren rdpcdd.sys rdpcdd.old
copy c:\rdpcdd.sys c:\windows\system32\drivers

You should see a message '1 file copied'. after inputting the last line. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths. If asked to overwrite the file, please allow so.

Note: For Vista/Win7 use an elevated command window, and you need only type fix.bat in the RE after getting to a c:\windows> (or d:\windows> - whichever is applicable) prompt.

Type exit and press 'Enter'. Your computer should reboot.

After that see if you can run ComboFix.
  • 0

#44
Babine
Posted 11 April 2010 - 10:06 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I believe the Recovery Console was installed via ComboFix. And I don't believe I have my Windows CD anymore. Should I follow your instructions still?
  • 0

#45
emeraldnzl
Posted 11 April 2010 - 10:09 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Yes, having the Recovery Console installed by ComboFix is exactly right. :)

It is for instances just like this that ComboFix does that.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP