Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows 2000 Server Google Redirect Bug

Started by KevinMajere , May 08 2010 10:30 AM

  • Please log in to reply

#1
KevinMajere
Posted 08 May 2010 - 10:30 AM

KevinMajere

    Member

  • Member
  • PipPip
  • 13 posts
My first post here, so bare with me!

I work IT in a small business. Our network is a total of 7 computers that log into our server, a Dell Power Edge 2600, with raid config running windows 2000 server. Lately, all computers that use google for a search engine are getting redirected to sites that are in no way related to what they were searching for. Mircosoft downloads no long function inless connected thu a proxy. Popular Anti-virus sites are accessable, but there aviable downloads are not. I have tried to follow a few guides, but combo fix says it's not compatiable with Windows 2000 Server.

I've been here since 2 am of last night, isolating all the computers from the server, formatting the, and reinstalling there OS. I would do that to the server, but the settings are way beyond my skills to reinstall everything.

Now a instresting note, I pinged a antivirus site... and got a return of my local host?? I have also ran, ESET online scanner, MWAB virus scanner. Nothing. Here is my Hijack this log, let me know if you need anything else... Im running on E at them moment and drink coffee to stay away! Help!

--------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:27:39 PM, on 5/8/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [*GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" Start=logon
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1268936622546
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...vex-2.2.3.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freedomlawns.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{27F76259-1E11-488B-9899-AABA28B2A05B}: NameServer = 192.168.10.1,192.168.10.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = freedomlawns.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = freedomlawns.local
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 4318 bytes

If you need anything more from me, I will be monitoring this thread very closely!
  • 0

Advertisements

#2
RKinner
Posted 08 May 2010 - 03:03 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I'm not sure how many of our tools will work on Win2K but I know OTL will so run step 5 of

http://www.geekstogo...uide-t2852.html

and post the logs you get (copy and paste)

Also download mbr.exe from

http://www2.gmer.net/mbr/mbr.exe

and save it to your desktop.


Then run it. It should create a log file on your desktop. Open it and copy the text and paste it into a reply.

Ron
  • 0

#3
KevinMajere
Posted 08 May 2010 - 05:06 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for getting back with me, here is the OLT.txt log:

OTL logfile created on: 5/8/2010 7:04:05 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\adminbsb\Desktop
Windows 2000 Standard Edition Service Pack 4 (Version = 5.0.2195) - Type = NTDomainController
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 68.23 Gb Total Space | 40.30 Gb Free Space | 59.06% Space Free | Partition Type: NTFS
Drive D: | 68.23 Gb Total Space | 64.65 Gb Free Space | 94.75% Space Free | Partition Type: NTFS
Drive E: | 136.73 Gb Total Space | 65.07 Gb Free Space | 47.59% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 298.09 Gb Total Space | 297.81 Gb Free Space | 99.91% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FLAWNS
Current User Name: adminbsb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
PRC - [2010/05/06 17:04:56 | 002,017,280 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/12/15 18:12:58 | 001,955,184 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2009/12/15 18:12:56 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2009/12/15 18:12:54 | 001,465,712 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2printh.exe
PRC - [2009/12/15 18:12:52 | 001,535,344 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
PRC - [2009/12/15 18:12:52 | 000,574,832 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2009/12/15 18:12:50 | 001,715,056 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2host.exe
PRC - [2009/12/15 18:12:46 | 000,564,592 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
PRC - [2009/12/15 18:12:44 | 001,089,392 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2009/09/15 13:50:06 | 000,087,312 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\LLSSRV.EXE
PRC - [2009/06/18 12:56:25 | 000,433,192 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
PRC - [2009/02/13 06:54:30 | 000,335,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DNS.EXE
PRC - [2007/09/05 10:53:48 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2005/11/16 11:00:00 | 000,122,880 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2004/09/07 11:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2003/06/19 15:05:04 | 000,745,232 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\ntfrs.exe
PRC - [2003/06/19 15:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 15:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 15:05:04 | 000,090,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\dfssvc.exe
PRC - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/19 15:05:04 | 000,025,872 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\ismserv.exe
PRC - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\inetsrv\inetinfo.exe
PRC - [2002/07/24 08:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
MOD - [2003/06/19 15:05:04 | 000,106,547 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msscript.ocx
MOD - [2003/06/19 15:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/15 18:12:56 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2009/09/15 13:50:06 | 000,087,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\LLSSRV.EXE -- (LicenseService)
SRV - [2009/02/13 06:54:30 | 000,335,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\DNS.EXE -- (DNS)
SRV - [2007/09/05 10:53:48 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/05/24 08:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2004/09/07 11:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 15:05:04 | 000,745,232 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\ntfrs.exe -- (NtFrs)
SRV - [2003/06/19 15:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 15:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 15:05:04 | 000,142,608 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINNT\system32\termsrv.exe -- (TermService)
SRV - [2003/06/19 15:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 15:05:04 | 000,090,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\dfssvc.exe -- (Dfs)
SRV - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 15:05:04 | 000,025,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\ismserv.exe -- (IsmServ)
SRV - [2003/06/19 15:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transport Protocol (SMTP)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2002/07/24 08:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\tcpsvcs.exe -- (DHCPServer)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (MEMSWEEP2)
DRV - [2010/05/06 17:10:20 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2006/04/27 17:25:26 | 000,158,208 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e1000nt5.sys -- (E1000) Intel®
DRV - [2004/07/22 10:11:26 | 000,023,936 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\mraid2k.sys -- (mraid2k)
DRV - [2003/11/20 13:03:06 | 000,009,728 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\QntmDLT.sys -- (QntmDLT)
DRV - [2003/06/19 15:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 15:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 15:05:04 | 000,074,448 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINNT\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2003/06/19 15:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 15:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 15:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\system32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 15:05:04 | 000,020,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdipx.sys -- (TDIPX)
DRV - [2003/06/19 15:05:04 | 000,018,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdnetb.sys -- (TDNETB)
DRV - [2003/06/19 15:05:04 | 000,018,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdspx.sys -- (TDSPX)
DRV - [2003/06/19 15:05:04 | 000,012,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdasync.sys -- (TDASYNC)
DRV - [2003/06/19 15:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 15:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2002/08/14 16:03:36 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/07/24 08:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [2002/07/24 08:00:00 | 000,012,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\spud.sys -- (spud)
DRV - [2002/07/24 08:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [2000/06/09 08:20:20 | 000,006,961 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\bnchtape.sys -- (bnchtape)
DRV - [1999/11/10 11:34:08 | 000,071,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\atimpab.sys -- (atirage3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 74.115.1.13:80



O1 HOSTS File: ([2010/05/04 14:31:04 | 000,607,013 | ---- | M]) - C:\WINNT\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 ads.active.com
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 127.0.0.1 ads.ad2games.com
O1 - Hosts: 127.0.0.1 content.ad20.net
O1 - Hosts: 16040 more lines...
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [*GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1268936622546 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.aka...vex-2.2.3.2.cab (DLM Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freedomlawns.local
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINNT\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/14 00:45:17 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/08 16:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\hosts
[2010/05/08 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/05/08 15:19:32 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/05/08 15:19:32 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix
[2010/05/08 15:19:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/05/08 12:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\Softwin
[2010/05/08 12:06:27 | 000,465,000 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\bitdefender_antirootkit-beta2.exe
[2010/05/08 11:53:31 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
[2010/05/08 10:17:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/05/08 10:16:59 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/05/08 10:16:18 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/05/08 09:27:26 | 000,264,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\TFC.exe
[2010/05/08 09:09:01 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/08 09:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/08 09:08:57 | 005,937,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\adminbsb\Desktop\HitmanPro35.exe
[2010/05/08 08:54:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\ATF-Cleaner.exe
[2010/05/08 08:53:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Desktop\GooredFix Backups
[2010/05/08 08:52:58 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\adminbsb\Desktop\GooredFix.exe
[2010/05/08 08:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/08 08:30:03 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/05/08 08:29:52 | 000,119,808 | ---- | C] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\VundoFix.exe
[2010/05/08 07:41:30 | 125,883,520 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\adminbsb\Desktop\avg_ipw_stf_all_90_819a2842.exe
[2010/05/08 06:51:46 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/08 06:20:28 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/05/08 06:16:57 | 000,615,912 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\Windows2000-KB921883-x86-ENU.EXE
[2010/05/08 06:16:08 | 000,724,792 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\WindowsServer2003-KB921883-v2-x86-ENU.exe
[2010/05/05 12:22:45 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/04 11:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/05/03 19:08:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/03 19:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\Simply Super Software
[2010/05/03 18:45:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\DoctorWeb
[2010/05/03 18:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\RegRun2
[2010/05/03 18:28:08 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/05/03 18:22:27 | 010,859,096 | ---- | C] (Greatis Software, LLC. ) -- C:\Documents and Settings\adminbsb\Desktop\unhackme_setup.exe
[2010/04/29 15:54:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 15:18:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/29 15:18:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Application Data\SUPERAntiSpyware.com
[2010/04/29 15:18:40 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/29 15:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Application Data\WinRAR
[2010/04/29 15:14:45 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR

========== Files - Modified Within 30 Days ==========

[2010/05/08 19:04:03 | 000,860,160 | ---- | M] () -- C:\Documents and Settings\adminbsb\NTUSER.DAT
[2010/05/08 19:03:54 | 000,076,288 | ---- | M] () -- C:\WINNT\System32\dnsmgmt.msc
[2010/05/08 19:03:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\mbr.exe
[2010/05/08 19:02:39 | 000,001,980 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\WKSFS.key
[2010/05/08 16:26:43 | 001,339,288 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\sar_15_sfx.exe
[2010/05/08 16:10:22 | 000,149,705 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\hosts.zip
[2010/05/08 16:03:15 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/05/08 15:50:50 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\taskmanager17.exe
[2010/05/08 13:35:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\adminbsb\ntuser.ini
[2010/05/08 13:35:26 | 000,556,022 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2010/05/08 13:13:28 | 000,065,536 | ---- | M] () -- C:\WINNT\NETLOGON.CHG
[2010/05/08 12:27:34 | 000,002,374 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\HiJackThis.lnk
[2010/05/08 12:09:18 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\RootkitRevealer.zip
[2010/05/08 12:06:33 | 000,465,000 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\bitdefender_antirootkit-beta2.exe
[2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
[2010/05/08 10:18:32 | 000,000,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 09:31:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\us2ldynb.exe
[2010/05/08 09:27:29 | 000,264,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\TFC.exe
[2010/05/08 09:18:53 | 000,014,792 | ---- | M] () -- C:\WINNT\System32\drivers\hitmanpro35.sys
[2010/05/08 09:18:37 | 000,001,549 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/08 09:18:34 | 005,937,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\adminbsb\Desktop\HitmanPro35.exe
[2010/05/08 09:03:47 | 000,000,579 | ---- | M] () -- C:\WINNT\System32\drivers\etc\HOSTS.MVP
[2010/05/08 08:54:45 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\ATF-Cleaner.exe
[2010/05/08 08:52:59 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\adminbsb\Desktop\GooredFix.exe
[2010/05/08 08:43:16 | 000,004,958 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/05/08 08:33:17 | 000,000,659 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/08 08:33:04 | 008,206,880 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.exe
[2010/05/08 08:29:53 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\VundoFix.exe
[2010/05/08 07:41:30 | 125,883,520 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\adminbsb\Desktop\avg_ipw_stf_all_90_819a2842.exe
[2010/05/08 06:56:21 | 000,070,144 | ---- | M] () -- C:\WINNT\System32\dompol.msc
[2010/05/08 06:20:28 | 000,002,839 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\Sophos confic-a Cleanup Tool.lnk
[2010/05/08 06:20:20 | 003,920,384 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\conficker-removal-tool.msi
[2010/05/08 06:17:03 | 000,615,912 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\Windows2000-KB921883-x86-ENU.EXE
[2010/05/08 06:16:15 | 000,724,792 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\WindowsServer2003-KB921883-v2-x86-ENU.exe
[2010/05/08 06:00:21 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\rrasmgmt.msc
[2010/05/08 05:57:54 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\dhcpmgmt.msc
[2010/05/08 05:47:13 | 000,000,380 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\backup2010.reg
[2010/05/08 05:35:19 | 003,684,271 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\ComboFix.exe
[2010/05/08 05:33:34 | 000,002,644 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/05/05 12:22:50 | 000,067,072 | ---- | M] () -- C:\WINNT\System32\dsa.msc
[2010/05/04 14:31:04 | 000,607,013 | ---- | M] () -- C:\WINNT\System32\drivers\etc\HOSTS
[2010/05/04 11:25:25 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\taskmanager17.exe
[2010/05/03 19:08:59 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\adminbsb\Local Settings\Application Data\housecall.guid.cache
[2010/05/03 18:28:50 | 000,002,577 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2010/05/03 18:28:50 | 000,000,438 | ---- | M] () -- C:\WINNT\System32\AUTOEXEC.NT
[2010/05/03 18:28:50 | 000,000,002 | RHS- | M] () -- C:\WINNT\winstart.bat
[2010/05/03 18:22:10 | 010,837,867 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\unhackme.zip
[2010/05/03 18:14:42 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\tools.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:24 | 000,019,288 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/04/29 15:18:15 | 006,574,239 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.rar
[2010/04/15 14:31:10 | 035,552,574 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\backup.reg
[2010/04/15 13:57:21 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_640.dat

========== Files Created - No Company Name ==========

[2010/05/08 19:04:36 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\mbr.exe
[2010/05/08 19:02:45 | 000,001,980 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\WKSFS.key
[2010/05/08 16:26:55 | 001,339,288 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\sar_15_sfx.exe
[2010/05/08 16:10:46 | 000,149,705 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\hosts.zip
[2010/05/08 15:51:24 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\taskmanager17.exe
[2010/05/08 12:09:16 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\RootkitRevealer.zip
[2010/05/08 10:17:04 | 000,000,569 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 09:31:15 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\us2ldynb.exe
[2010/05/08 09:18:37 | 000,001,549 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/08 09:09:08 | 000,014,792 | ---- | C] () -- C:\WINNT\System32\drivers\hitmanpro35.sys
[2010/05/08 08:33:17 | 000,000,659 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/08 08:33:04 | 008,206,880 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.exe
[2010/05/08 08:21:28 | 000,556,022 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2010/05/08 06:20:28 | 000,002,839 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\Sophos confic-a Cleanup Tool.lnk
[2010/05/08 06:20:20 | 003,920,384 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\conficker-removal-tool.msi
[2010/05/08 05:47:13 | 000,000,380 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\backup2010.reg
[2010/05/08 05:35:19 | 003,684,271 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\ComboFix.exe
[2010/05/05 12:22:45 | 000,002,374 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\HiJackThis.lnk
[2010/05/04 11:25:25 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\taskmanager17.exe
[2010/05/03 19:08:59 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\adminbsb\Local Settings\Application Data\housecall.guid.cache
[2010/05/03 18:28:50 | 000,000,002 | RHS- | C] () -- C:\WINNT\winstart.bat
[2010/05/03 18:22:10 | 010,837,867 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\unhackme.zip
[2010/05/03 18:14:42 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\tools.exe
[2010/04/29 15:18:15 | 006,574,239 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.rar
[2010/04/15 14:31:06 | 035,552,574 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\backup.reg
[2010/04/15 13:57:21 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_640.dat
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINNT\bdoscandellang.in
  • 0

#4
KevinMajere
Posted 08 May 2010 - 05:07 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Also the MRB log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
  • 0

#5
RKinner
Posted 08 May 2010 - 05:47 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I don't really see anything. I do see that someone has played with these files:

[2010/05/03 18:28:50 | 000,002,577 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2010/05/03 18:28:50 | 000,000,438 | ---- | M] () -- C:\WINNT\System32\AUTOEXEC.NT
[2010/05/03 18:28:50 | 000,000,002 | RHS- | M] () -- C:\WINNT\winstart.bat

but I think it was one of your tools. Probably unhackme.

You can open them with notepad and see what they are trying to do. You are using a proxy server:

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 74.115.1.13:80

I don't know what your network looks like but can you get to the internet without it? It's possible that there is nothing wrong with your server but that the proxy has been compromised.

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

Could you try OTL again but this time copy this script


netsvcs
c:\*.*
c:\winnt\*. /mp /s
c:\winnt\system32\*.dll /lockedfiles
c:\winnt\Tasks\*.job /lockedfiles
c:\winnt\system32\drivers\*.sys /90


and paste it into the custom scan box then press Quick Scan.


Ron
  • 0

#6
KevinMajere
Posted 08 May 2010 - 05:55 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Running it now as we speak. I am aware of the proxy, I put it there so I could access ESET online scanner, as well as MS virus detection, and Kapsy online virus scanner tool. I can remove the proxy, but then I wouldnt be able to download anything anti-virus related.

Here is the log with the script you asked me to run:

OTL logfile created on: 5/8/2010 7:52:51 PM - Run 4
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\adminbsb\Desktop
Windows 2000 Standard Edition Service Pack 4 (Version = 5.0.2195) - Type = NTDomainController
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 68.23 Gb Total Space | 39.67 Gb Free Space | 58.14% Space Free | Partition Type: NTFS
Drive D: | 68.23 Gb Total Space | 64.65 Gb Free Space | 94.75% Space Free | Partition Type: NTFS
Drive E: | 136.73 Gb Total Space | 65.07 Gb Free Space | 47.59% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 298.09 Gb Total Space | 297.81 Gb Free Space | 99.91% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FLAWNS
Current User Name: adminbsb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
PRC - [2010/05/06 17:04:56 | 002,017,280 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/12/15 18:12:58 | 001,955,184 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2009/12/15 18:12:56 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2009/12/15 18:12:54 | 001,465,712 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2printh.exe
PRC - [2009/12/15 18:12:52 | 001,535,344 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
PRC - [2009/12/15 18:12:52 | 000,574,832 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2009/12/15 18:12:50 | 001,715,056 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2host.exe
PRC - [2009/12/15 18:12:46 | 000,564,592 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
PRC - [2009/12/15 18:12:44 | 001,089,392 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2009/09/15 13:50:06 | 000,087,312 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\LLSSRV.EXE
PRC - [2009/02/13 06:54:30 | 000,335,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\DNS.EXE
PRC - [2007/09/05 10:53:48 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2005/11/16 11:00:00 | 000,122,880 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2004/09/07 11:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2003/06/19 15:05:04 | 000,745,232 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\ntfrs.exe
PRC - [2003/06/19 15:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 15:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 15:05:04 | 000,090,896 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\dfssvc.exe
PRC - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/19 15:05:04 | 000,025,872 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\ismserv.exe
PRC - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\inetsrv\inetinfo.exe
PRC - [2002/07/24 08:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
MOD - [2003/06/19 15:05:04 | 000,106,547 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msscript.ocx
MOD - [2003/06/19 15:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/15 18:12:56 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2009/09/15 13:50:06 | 000,087,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\LLSSRV.EXE -- (LicenseService)
SRV - [2009/02/13 06:54:30 | 000,335,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\DNS.EXE -- (DNS)
SRV - [2007/09/05 10:53:48 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/05/24 08:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2004/09/07 11:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 15:05:04 | 000,745,232 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\ntfrs.exe -- (NtFrs)
SRV - [2003/06/19 15:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 15:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 15:05:04 | 000,142,608 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINNT\system32\termsrv.exe -- (TermService)
SRV - [2003/06/19 15:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 15:05:04 | 000,090,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\dfssvc.exe -- (Dfs)
SRV - [2003/06/19 15:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 15:05:04 | 000,025,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\ismserv.exe -- (IsmServ)
SRV - [2003/06/19 15:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transport Protocol (SMTP)
SRV - [2003/06/19 15:05:04 | 000,014,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2002/07/24 08:00:00 | 000,025,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\tcpsvcs.exe -- (DHCPServer)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (MEMSWEEP2)
DRV - [2010/05/06 17:10:20 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2006/04/27 17:25:26 | 000,158,208 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e1000nt5.sys -- (E1000) Intel®
DRV - [2004/07/22 10:11:26 | 000,023,936 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\mraid2k.sys -- (mraid2k)
DRV - [2003/11/20 13:03:06 | 000,009,728 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\QntmDLT.sys -- (QntmDLT)
DRV - [2003/06/19 15:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 15:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 15:05:04 | 000,074,448 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINNT\system32\drivers\Dfs.sys -- (DfsDriver)
DRV - [2003/06/19 15:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 15:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 15:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\system32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 15:05:04 | 000,020,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdipx.sys -- (TDIPX)
DRV - [2003/06/19 15:05:04 | 000,018,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdnetb.sys -- (TDNETB)
DRV - [2003/06/19 15:05:04 | 000,018,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdspx.sys -- (TDSPX)
DRV - [2003/06/19 15:05:04 | 000,012,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\tdasync.sys -- (TDASYNC)
DRV - [2003/06/19 15:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 15:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2002/08/14 16:03:36 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/07/24 08:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [2002/07/24 08:00:00 | 000,012,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\spud.sys -- (spud)
DRV - [2002/07/24 08:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [2000/06/09 08:20:20 | 000,006,961 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\bnchtape.sys -- (bnchtape)
DRV - [1999/11/10 11:34:08 | 000,071,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\atimpab.sys -- (atirage3)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 74.115.1.13:80



O1 HOSTS File: ([2010/05/04 14:31:04 | 000,607,013 | ---- | M]) - C:\WINNT\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 ads.active.com
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 127.0.0.1 ads.ad2games.com
O1 - Hosts: 127.0.0.1 content.ad20.net
O1 - Hosts: 16040 more lines...
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [*GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1268936622546 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.aka...vex-2.2.3.2.cab (DLM Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freedomlawns.local
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINNT\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/14 00:45:17 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\WINNT\system32\ias [2010/05/08 06:00:21 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/08 19:52:30 | 344,104,592 | ---- | C] (Kaspersky Lab ) -- C:\Documents and Settings\adminbsb\Desktop\kasp8.0.2090_adminkiten.exe
[2010/05/08 16:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\hosts
[2010/05/08 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/05/08 15:19:32 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/05/08 15:19:32 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix
[2010/05/08 15:19:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/05/08 12:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\Softwin
[2010/05/08 12:06:27 | 000,465,000 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\bitdefender_antirootkit-beta2.exe
[2010/05/08 11:53:31 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
[2010/05/08 10:17:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/05/08 10:16:59 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/05/08 10:16:18 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/05/08 09:27:26 | 000,264,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\TFC.exe
[2010/05/08 09:09:01 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/08 09:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/08 09:08:57 | 005,937,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\adminbsb\Desktop\HitmanPro35.exe
[2010/05/08 08:54:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\ATF-Cleaner.exe
[2010/05/08 08:53:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Desktop\GooredFix Backups
[2010/05/08 08:52:58 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\adminbsb\Desktop\GooredFix.exe
[2010/05/08 08:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/08 08:30:03 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/05/08 08:29:52 | 000,119,808 | ---- | C] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\VundoFix.exe
[2010/05/08 07:41:30 | 125,883,520 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\adminbsb\Desktop\avg_ipw_stf_all_90_819a2842.exe
[2010/05/08 06:51:46 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/08 06:20:28 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/05/08 06:16:57 | 000,615,912 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\Windows2000-KB921883-x86-ENU.EXE
[2010/05/08 06:16:08 | 000,724,792 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\WindowsServer2003-KB921883-v2-x86-ENU.exe
[2010/05/05 12:22:45 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/04 11:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/05/03 19:08:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/03 19:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\Simply Super Software
[2010/05/03 18:45:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\DoctorWeb
[2010/05/03 18:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\RegRun2
[2010/05/03 18:28:08 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/05/03 18:22:27 | 010,859,096 | ---- | C] (Greatis Software, LLC. ) -- C:\Documents and Settings\adminbsb\Desktop\unhackme_setup.exe
[2010/04/29 15:54:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 15:18:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/29 15:18:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Application Data\SUPERAntiSpyware.com
[2010/04/29 15:18:40 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/29 15:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Application Data\WinRAR
[2010/04/29 15:14:45 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR

========== Files - Modified Within 30 Days ==========

[2010/05/08 19:52:30 | 344,104,592 | ---- | M] (Kaspersky Lab ) -- C:\Documents and Settings\adminbsb\Desktop\kasp8.0.2090_adminkiten.exe
[2010/05/08 19:52:20 | 000,860,160 | ---- | M] () -- C:\Documents and Settings\adminbsb\NTUSER.DAT
[2010/05/08 19:03:54 | 000,076,288 | ---- | M] () -- C:\WINNT\System32\dnsmgmt.msc
[2010/05/08 19:03:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\mbr.exe
[2010/05/08 19:02:39 | 000,001,980 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\WKSFS.key
[2010/05/08 16:26:43 | 001,339,288 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\sar_15_sfx.exe
[2010/05/08 16:10:22 | 000,149,705 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\hosts.zip
[2010/05/08 16:03:15 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/05/08 15:50:50 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\taskmanager17.exe
[2010/05/08 13:35:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\adminbsb\ntuser.ini
[2010/05/08 13:35:26 | 000,556,022 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2010/05/08 13:13:28 | 000,065,536 | ---- | M] () -- C:\WINNT\NETLOGON.CHG
[2010/05/08 12:27:34 | 000,002,374 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\HiJackThis.lnk
[2010/05/08 12:09:18 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\RootkitRevealer.zip
[2010/05/08 12:06:33 | 000,465,000 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\bitdefender_antirootkit-beta2.exe
[2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
[2010/05/08 10:18:32 | 000,000,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 09:31:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\us2ldynb.exe
[2010/05/08 09:27:29 | 000,264,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\TFC.exe
[2010/05/08 09:18:53 | 000,014,792 | ---- | M] () -- C:\WINNT\System32\drivers\hitmanpro35.sys
[2010/05/08 09:18:37 | 000,001,549 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/08 09:18:34 | 005,937,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\adminbsb\Desktop\HitmanPro35.exe
[2010/05/08 09:03:47 | 000,000,579 | ---- | M] () -- C:\WINNT\System32\drivers\etc\HOSTS.MVP
[2010/05/08 08:54:45 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\ATF-Cleaner.exe
[2010/05/08 08:52:59 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\adminbsb\Desktop\GooredFix.exe
[2010/05/08 08:43:16 | 000,004,958 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/05/08 08:33:17 | 000,000,659 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/08 08:33:04 | 008,206,880 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.exe
[2010/05/08 08:29:53 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\VundoFix.exe
[2010/05/08 07:41:30 | 125,883,520 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\adminbsb\Desktop\avg_ipw_stf_all_90_819a2842.exe
[2010/05/08 06:56:21 | 000,070,144 | ---- | M] () -- C:\WINNT\System32\dompol.msc
[2010/05/08 06:20:28 | 000,002,839 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\Sophos confic-a Cleanup Tool.lnk
[2010/05/08 06:20:20 | 003,920,384 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\conficker-removal-tool.msi
[2010/05/08 06:17:03 | 000,615,912 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\Windows2000-KB921883-x86-ENU.EXE
[2010/05/08 06:16:15 | 000,724,792 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\WindowsServer2003-KB921883-v2-x86-ENU.exe
[2010/05/08 06:00:21 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\rrasmgmt.msc
[2010/05/08 05:57:54 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\dhcpmgmt.msc
[2010/05/08 05:47:13 | 000,000,380 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\backup2010.reg
[2010/05/08 05:35:19 | 003,684,271 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\ComboFix.exe
[2010/05/08 05:33:34 | 000,002,644 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/05/05 12:22:50 | 000,067,072 | ---- | M] () -- C:\WINNT\System32\dsa.msc
[2010/05/04 14:31:04 | 000,607,013 | ---- | M] () -- C:\WINNT\System32\drivers\etc\HOSTS
[2010/05/04 11:25:25 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\taskmanager17.exe
[2010/05/03 19:08:59 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\adminbsb\Local Settings\Application Data\housecall.guid.cache
[2010/05/03 18:28:50 | 000,002,577 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2010/05/03 18:28:50 | 000,000,438 | ---- | M] () -- C:\WINNT\System32\AUTOEXEC.NT
[2010/05/03 18:28:50 | 000,000,002 | RHS- | M] () -- C:\WINNT\winstart.bat
[2010/05/03 18:22:10 | 010,837,867 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\unhackme.zip
[2010/05/03 18:14:42 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\tools.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:24 | 000,019,288 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/04/29 15:18:15 | 006,574,239 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.rar
[2010/04/15 14:31:10 | 035,552,574 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\backup.reg
[2010/04/15 13:57:21 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_640.dat

========== Files Created - No Company Name ==========

[2010/05/08 19:04:36 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\mbr.exe
[2010/05/08 19:02:45 | 000,001,980 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\WKSFS.key
[2010/05/08 16:26:55 | 001,339,288 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\sar_15_sfx.exe
[2010/05/08 16:10:46 | 000,149,705 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\hosts.zip
[2010/05/08 15:51:24 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\taskmanager17.exe
[2010/05/08 12:09:16 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\RootkitRevealer.zip
[2010/05/08 10:17:04 | 000,000,569 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 09:31:15 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\us2ldynb.exe
[2010/05/08 09:18:37 | 000,001,549 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/08 09:09:08 | 000,014,792 | ---- | C] () -- C:\WINNT\System32\drivers\hitmanpro35.sys
[2010/05/08 08:33:17 | 000,000,659 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/08 08:33:04 | 008,206,880 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.exe
[2010/05/08 08:21:28 | 000,556,022 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2010/05/08 06:20:28 | 000,002,839 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\Sophos confic-a Cleanup Tool.lnk
[2010/05/08 06:20:20 | 003,920,384 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\conficker-removal-tool.msi
[2010/05/08 05:47:13 | 000,000,380 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\backup2010.reg
[2010/05/08 05:35:19 | 003,684,271 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\ComboFix.exe
[2010/05/05 12:22:45 | 000,002,374 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\HiJackThis.lnk
[2010/05/04 11:25:25 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\taskmanager17.exe
[2010/05/03 19:08:59 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\adminbsb\Local Settings\Application Data\housecall.guid.cache
[2010/05/03 18:28:50 | 000,000,002 | RHS- | C] () -- C:\WINNT\winstart.bat
[2010/05/03 18:22:10 | 010,837,867 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\unhackme.zip
[2010/05/03 18:14:42 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\tools.exe
[
  • 0

#7
KevinMajere
Posted 08 May 2010 - 06:02 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
this was in the C:\WINNT\System32\AUTOEXEC.NT


@echo off

REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.

REM Install CD ROM extensions
lh %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
lh %SystemRoot%\system32\redir

REM Install DPMI support
lh %SystemRoot%\system32\dosx

This was in the C:\WINNT\System32\CONFIG.NT

REM Windows MS-DOS Startup File
REM
REM CONFIG.SYS vs CONFIG.NT
REM CONFIG.SYS is not used to initialize the MS-DOS environment.
REM CONFIG.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.
REM
REM ECHOCONFIG
REM By default, no information is displayed when the MS-DOS environment
REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
REM the command echoconfig to CONFIG.NT or other startup file.
REM
REM NTCMDPROMPT
REM When you return to the command prompt from a TSR or while running an
REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
REM other startup file.
REM
REM DOSONLY
REM By default, you can start any type of application when running
REM COMMAND.COM. If you start an application other than an MS-DOS-based
REM application, any running TSR may be disrupted. To ensure that only
REM MS-DOS-based applications can be started, add the command dosonly to
REM CONFIG.NT or other startup file.
REM
REM EMM
REM You can use EMM command line to configure EMM(Expanded Memory Manager).
REM The syntax is:
REM
REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
REM
REM AltRegSets
REM specifies the total Alternative Mapping Register Sets you
REM want the system to support. 1 <= AltRegSets <= 255. The
REM default value is 8.
REM BaseSegment
REM specifies the starting segment address in the Dos conventional
REM memory you want the system to allocate for EMM page frames.
REM The value must be given in Hexdecimal.
REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
REM 16KB boundary. The default value is 0x4000
REM RAM
REM specifies that the system should only allocate 64Kb address
REM space from the Upper Memory Block(UMB) area for EMM page frames
REM and leave the rests(if available) to be used by DOS to support
REM loadhigh and devicehigh commands. The system, by default, would
REM allocate all possible and available UMB for page frames.
REM
REM The EMM size is determined by pif file(either the one associated
REM with your application or _default.pif). If the size from PIF file
REM is zero, EMM will be disabled and the EMM line will be ignored.
REM
dos=high, umb
device=%SystemRoot%\system32\himem.sys
files=40

Edited by KevinMajere, 08 May 2010 - 06:02 PM.

  • 0

#8
RKinner
Posted 08 May 2010 - 06:12 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
So you have added the proxy since the problem began? Are you sure the proxy wasn't infected by whatever is going around?

Looks like the last log got clipped. I'm really just looking for the stuff at the bottom of the log which is what got left off.


You have a bunch of junk in your hosts file. It's possible that it is remapping stuff but we can't see it because of all the 127.0.0.1 stuff. Can you copy the current hosts file to hosts.old and edit the current one so that it only says 127.0.0.1 localhost?

Since this is a small network what router are you using? Could it have been compromised?

Start, Run, cmd, OK
nslookup  google.com  >  junk.txt
notepad  junk.txt

Copy and paste the text into a reply.


I wonder if tdsskiller will run on win2k?

  • Go to this page and Download TDSSKiller.zip to your Desktop.
  • Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  • Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If TDSSKiller alerts you that the system needs to reboot, please consent.
  • When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Edited by RKinner, 08 May 2010 - 06:13 PM.

  • 0

#9
KevinMajere
Posted 08 May 2010 - 06:30 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the extended OLT report, sorry for the cut off, didnt know fast reply cut your post! We use a linksys router, It's possible it's been compermised in some fashion. The proxy was never used till this all started, and just mainly to have access to anti-virus downloads. The host file was normal till I added all that to block maleware sites from infection.

O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [*GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1268936622546 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.aka...vex-2.2.3.2.cab (DLM Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freedomlawns.local
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (pwdssp.dll) - C:\WINNT\System32\pwdssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/14 00:45:17 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/08 19:52:30 | 344,104,592 | ---- | C] (Kaspersky Lab ) -- C:\Documents and Settings\adminbsb\Desktop\kasp8.0.2090_adminkiten.exe
[2010/05/08 16:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\hosts
[2010/05/08 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/05/08 15:19:32 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2010/05/08 15:19:32 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix
[2010/05/08 15:19:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/05/08 12:06:48 | 000,000,000 | ---D | C] -- C:\Program Files\Softwin
[2010/05/08 12:06:27 | 000,465,000 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\bitdefender_antirootkit-beta2.exe
[2010/05/08 11:53:31 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
[2010/05/08 10:17:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/05/08 10:16:59 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/05/08 10:16:18 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/05/08 09:27:26 | 000,264,704 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\TFC.exe
[2010/05/08 09:09:01 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/08 09:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/08 09:08:57 | 005,937,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\adminbsb\Desktop\HitmanPro35.exe
[2010/05/08 08:54:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\ATF-Cleaner.exe
[2010/05/08 08:53:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Desktop\GooredFix Backups
[2010/05/08 08:52:58 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\adminbsb\Desktop\GooredFix.exe
[2010/05/08 08:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/08 08:30:03 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/05/08 08:29:52 | 000,119,808 | ---- | C] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\VundoFix.exe
[2010/05/08 07:41:30 | 125,883,520 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\adminbsb\Desktop\avg_ipw_stf_all_90_819a2842.exe
[2010/05/08 06:51:46 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/08 06:20:28 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/05/08 06:16:57 | 000,615,912 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\Windows2000-KB921883-x86-ENU.EXE
[2010/05/08 06:16:08 | 000,724,792 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\WindowsServer2003-KB921883-v2-x86-ENU.exe
[2010/05/05 12:22:45 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/04 11:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/05/03 19:08:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/03 19:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\Simply Super Software
[2010/05/03 18:45:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\DoctorWeb
[2010/05/03 18:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\My Documents\RegRun2
[2010/05/03 18:28:08 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/05/03 18:22:27 | 010,859,096 | ---- | C] (Greatis Software, LLC. ) -- C:\Documents and Settings\adminbsb\Desktop\unhackme_setup.exe
[2010/04/29 15:54:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 15:18:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/29 15:18:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Application Data\SUPERAntiSpyware.com
[2010/04/29 15:18:40 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/29 15:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\adminbsb\Application Data\WinRAR
[2010/04/29 15:14:45 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR

========== Files - Modified Within 30 Days ==========

[2010/05/08 20:05:09 | 000,860,160 | ---- | M] () -- C:\Documents and Settings\adminbsb\NTUSER.DAT
[2010/05/08 19:52:30 | 344,104,592 | ---- | M] (Kaspersky Lab ) -- C:\Documents and Settings\adminbsb\Desktop\kasp8.0.2090_adminkiten.exe
[2010/05/08 19:03:54 | 000,076,288 | ---- | M] () -- C:\WINNT\System32\dnsmgmt.msc
[2010/05/08 19:03:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\mbr.exe
[2010/05/08 19:02:39 | 000,001,980 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\WKSFS.key
[2010/05/08 16:26:43 | 001,339,288 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\sar_15_sfx.exe
[2010/05/08 16:10:22 | 000,149,705 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\hosts.zip
[2010/05/08 16:03:15 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/05/08 15:50:50 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\taskmanager17.exe
[2010/05/08 13:35:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\adminbsb\ntuser.ini
[2010/05/08 13:35:26 | 000,556,022 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2010/05/08 13:13:28 | 000,065,536 | ---- | M] () -- C:\WINNT\NETLOGON.CHG
[2010/05/08 12:27:34 | 000,002,374 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\HiJackThis.lnk
[2010/05/08 12:09:18 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\RootkitRevealer.zip
[2010/05/08 12:06:33 | 000,465,000 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\bitdefender_antirootkit-beta2.exe
[2010/05/08 11:53:34 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\OTL.exe
[2010/05/08 10:18:32 | 000,000,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 09:31:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\us2ldynb.exe
[2010/05/08 09:27:29 | 000,264,704 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\adminbsb\Desktop\TFC.exe
[2010/05/08 09:18:53 | 000,014,792 | ---- | M] () -- C:\WINNT\System32\drivers\hitmanpro35.sys
[2010/05/08 09:18:37 | 000,001,549 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/08 09:18:34 | 005,937,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\adminbsb\Desktop\HitmanPro35.exe
[2010/05/08 09:03:47 | 000,000,579 | ---- | M] () -- C:\WINNT\System32\drivers\etc\HOSTS.MVP
[2010/05/08 08:54:45 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\ATF-Cleaner.exe
[2010/05/08 08:52:59 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\adminbsb\Desktop\GooredFix.exe
[2010/05/08 08:43:16 | 000,004,958 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/05/08 08:33:17 | 000,000,659 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/08 08:33:04 | 008,206,880 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.exe
[2010/05/08 08:29:53 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\adminbsb\Desktop\VundoFix.exe
[2010/05/08 07:41:30 | 125,883,520 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\adminbsb\Desktop\avg_ipw_stf_all_90_819a2842.exe
[2010/05/08 06:56:21 | 000,070,144 | ---- | M] () -- C:\WINNT\System32\dompol.msc
[2010/05/08 06:20:28 | 000,002,839 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\Sophos confic-a Cleanup Tool.lnk
[2010/05/08 06:20:20 | 003,920,384 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\conficker-removal-tool.msi
[2010/05/08 06:17:03 | 000,615,912 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\Windows2000-KB921883-x86-ENU.EXE
[2010/05/08 06:16:15 | 000,724,792 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\adminbsb\Desktop\WindowsServer2003-KB921883-v2-x86-ENU.exe
[2010/05/08 06:00:21 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\rrasmgmt.msc
[2010/05/08 05:57:54 | 000,066,048 | ---- | M] () -- C:\WINNT\System32\dhcpmgmt.msc
[2010/05/08 05:47:13 | 000,000,380 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\backup2010.reg
[2010/05/08 05:35:19 | 003,684,271 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\ComboFix.exe
[2010/05/08 05:33:34 | 000,002,644 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/05/05 12:22:50 | 000,067,072 | ---- | M] () -- C:\WINNT\System32\dsa.msc
[2010/05/04 14:31:04 | 000,607,013 | ---- | M] () -- C:\WINNT\System32\drivers\etc\HOSTS
[2010/05/04 11:25:25 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\taskmanager17.exe
[2010/05/03 19:08:59 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\adminbsb\Local Settings\Application Data\housecall.guid.cache
[2010/05/03 18:28:50 | 000,002,577 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2010/05/03 18:28:50 | 000,000,438 | ---- | M] () -- C:\WINNT\System32\AUTOEXEC.NT
[2010/05/03 18:28:50 | 000,000,002 | RHS- | M] () -- C:\WINNT\winstart.bat
[2010/05/03 18:22:10 | 010,837,867 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\unhackme.zip
[2010/05/03 18:14:42 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\tools.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:24 | 000,019,288 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/04/29 15:18:15 | 006,574,239 | ---- | M] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.rar
[2010/04/15 14:31:10 | 035,552,574 | ---- | M] () -- C:\Documents and Settings\adminbsb\My Documents\backup.reg
[2010/04/15 13:57:21 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_640.dat

========== Files Created - No Company Name ==========

[2010/05/08 19:04:36 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\mbr.exe
[2010/05/08 19:02:45 | 000,001,980 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\WKSFS.key
[2010/05/08 16:26:55 | 001,339,288 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\sar_15_sfx.exe
[2010/05/08 16:10:46 | 000,149,705 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\hosts.zip
[2010/05/08 15:51:24 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\taskmanager17.exe
[2010/05/08 12:09:16 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\RootkitRevealer.zip
[2010/05/08 10:17:04 | 000,000,569 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 09:31:15 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\us2ldynb.exe
[2010/05/08 09:18:37 | 000,001,549 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/08 09:09:08 | 000,014,792 | ---- | C] () -- C:\WINNT\System32\drivers\hitmanpro35.sys
[2010/05/08 08:33:17 | 000,000,659 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/08 08:33:04 | 008,206,880 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.exe
[2010/05/08 08:21:28 | 000,556,022 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2010/05/08 06:20:28 | 000,002,839 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\Sophos confic-a Cleanup Tool.lnk
[2010/05/08 06:20:20 | 003,920,384 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\conficker-removal-tool.msi
[2010/05/08 05:47:13 | 000,000,380 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\backup2010.reg
[2010/05/08 05:35:19 | 003,684,271 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\ComboFix.exe
[2010/05/05 12:22:45 | 000,002,374 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\HiJackThis.lnk
[2010/05/04 11:25:25 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\taskmanager17.exe
[2010/05/03 19:08:59 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\adminbsb\Local Settings\Application Data\housecall.guid.cache
[2010/05/03 18:28:50 | 000,000,002 | RHS- | C] () -- C:\WINNT\winstart.bat
[2010/05/03 18:22:10 | 010,837,867 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\unhackme.zip
[2010/05/03 18:14:42 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\tools.exe
[2010/04/29 15:18:15 | 006,574,239 | ---- | C] () -- C:\Documents and Settings\adminbsb\Desktop\SUPERAntiSpyware.rar
[2010/04/15 14:31:06 | 035,552,574 | ---- | C] () -- C:\Documents and Settings\adminbsb\My Documents\backup.reg
[2010/04/15 13:57:21 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_640.dat
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINNT\bdoscandellang.ini
[2008/04/30 06:19:30 | 000,011,597 | ---- | C] () -- C:\WINNT\System32\dnsperf.ini
[2008/01/18 12:26:37 | 000,000,103 | ---- | C] () -- C:\WINNT\ODBC.INI
[2008/01/17 13:14:51 | 000,000,063 | ---- | C] () -- C:\WINNT\LA.INI
[2008/01/14 16:30:43 | 000,017,168 | ---- | C] () -- C:\WINNT\System32\ismsink.dll
[2008/01/14 15:32:52 | 000,002,360 | ---- | C] () -- C:\WINNT\System32\dhcpctrs.ini
[2008/01/14 00:44:08 | 000,000,000 | ---- | C] () -- C:\WINNT\frontpg.ini
[2008/01/14 00:42:26 | 000,038,523 | ---- | C] () -- C:\WINNT\System32\w3ctrs.ini
[2008/01/14 00:42:25 | 000,011,355 | ---- | C] () -- C:\WINNT\System32\infoctrs.ini
[2008/01/14 00:42:15 | 000,009,584 | ---- | C] () -- C:\WINNT\System32\axperf.ini
[2008/01/14 00:42:09 | 000,021,789 | ---- | C] () -- C:\WINNT\System32\smtpctrs.ini
[2008/01/14 00:42:09 | 000,001,037 | ---- | C] () -- C:\WINNT\System32\ntfsdrct.ini
[2002/07/24 08:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2002/07/24 08:00:00 | 000,133,752 | ---- | C] () -- C:\WINNT\System32\schema.ini
[2002/07/24 08:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2002/07/24 08:00:00 | 000,022,582 | ---- | C] () -- C:\WINNT\System32\ntdsctrs.ini
[2002/07/24 08:00:00 | 000,020,386 | ---- | C] () -- C:\WINNT\System32\ntfrsrep.ini
[2002/07/24 08:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2002/07/24 08:00:00 | 000,005,597 | ---- | C] () -- C:\WINNT\System32\ntfrscon.ini
[2002/07/24 08:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1999/09/25 06:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 06:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== Custom Scans ==========


< c:\*.* >
[2003/06/19 15:05:04 | 000,150,528 | RHS- | M] () -- c:\arcldr.exe
[2003/06/19 15:05:04 | 000,163,840 | RHS- | M] () -- c:\arcsetup.exe
[2008/01/14 00:45:17 | 000,000,000 | -H-- | M] () -- c:\AUTOEXEC.BAT
[2008/01/14 00:41:57 | 000,000,186 | -HS- | M] () -- c:\boot.ini
[2008/01/14 00:45:17 | 000,000,000 | -H-- | M] () -- c:\CONFIG.SYS
[2008/01/14 00:45:17 | 000,000,000 | RHS- | M] () -- c:\IO.SYS
[2010/05/08 10:18:30 | 000,000,109 | ---- | M] () -- c:\mbam-error.txt
[2008/01/14 00:45:17 | 000,000,000 | RHS- | M] () -- c:\MSDOS.SYS
[2002/07/24 08:00:00 | 000,034,724 | RHS- | M] () -- c:\NTDETECT.COM
[2008/01/14 16:34:28 | 000,214,432 | RHS- | M] () -- c:\ntldr
[2010/05/08 16:02:24 | 2145,386,496 | -HS- | M] () -- c:\pagefile.sys
[2008/01/14 17:57:13 | 037,748,736 | ---- | M] () -- c:\VIRTPART.DAT
[2010/05/08 08:30:22 | 000,000,429 | ---- | M] () -- c:\VundoFix.txt
[2010/05/03 19:06:27 | 000,001,780 | ---- | M] () -- c:\Win32.Worm.Downladup.Gen.log

< c:\winnt\*. /mp /s >

< c:\winnt\system32\*.dll /lockedfiles >

< c:\winnt\Tasks\*.job /lockedfiles >

< c:\winnt\system32\drivers\*.sys /90 >
[2010/05/08 09:18:53 | 000,014,792 | ---- | M] () -- C:\WINNT\system32\drivers\hitmanpro35.sys
[2010/04/29 15:39:24 | 000,019,288 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\system32\drivers\mbamswissarmy.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 7188 bytes -> C:\WINNT\lanmannt.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 5832 bytes -> C:\WINNT\Soap Bubbles.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 5300 bytes -> C:\WINNT\lanma256.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 3864 bytes -> C:\WINNT\Prairie Wind.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 3840 bytes -> C:\WINNT\Santa Fe Stucco.bmp:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 1256 bytes -> C:\WINNT\System32\ntimage.gif:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
  • 0

#10
KevinMajere
Posted 08 May 2010 - 06:32 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the Junk script you asked me to run...

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.10.1

DNS request timed out.
timeout was 2 seconds.
Name: google.com
Address: 66.249.90.104
  • 0

Advertisements

#11
KevinMajere
Posted 08 May 2010 - 06:35 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
And finally the TSkiller log:

20:33:34:345 0676 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
20:33:34:345 0676 ================================================================================
20:33:34:345 0676 SystemInfo:

20:33:34:345 0676 OS Version: 5.0.2195 ServicePack: 4.0
20:33:34:345 0676 Product type: Domain controller
20:33:34:345 0676 ComputerName: FLAWNS
20:33:34:345 0676 UserName: adminbsb
20:33:34:345 0676 Windows directory: C:\WINNT
20:33:34:345 0676 Processor architecture: Intel x86
20:33:34:345 0676 Number of processors: 4
20:33:34:345 0676 Page size: 0x1000
20:33:34:345 0676 Boot type: Normal boot
20:33:34:345 0676 ================================================================================
20:33:34:345 0676 UnloadDriverW: NtUnloadDriver error 2
20:33:34:360 0676 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:33:34:360 0676 RegExUnlockDeleteW: RegCreateKeyExW(System\CurrentControlSet\Control\SafeBoot\Minimal\klmd21.sys) error 2
20:33:34:360 0676 RegExUnlockDeleteW: RegCreateKeyExW(System\CurrentControlSet\Control\SafeBoot\Network\klmd21.sys) error 2
20:33:34:376 0676 wfopen_ex: Trying to open file C:\WINNT\system32\config\system
20:33:34:376 0676 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:33:34:376 0676 wfopen_ex: Trying to KLMD file open
20:33:34:376 0676 wfopen_ex: File opened ok (Flags 2)
20:33:34:391 0676 wfopen_ex: Trying to open file C:\WINNT\system32\config\software
20:33:34:391 0676 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:33:34:391 0676 wfopen_ex: Trying to KLMD file open
20:33:34:391 0676 wfopen_ex: File opened ok (Flags 2)
20:33:34:391 0676 Initialize success
20:33:34:391 0676
20:33:34:391 0676 Scanning Services ...
20:33:34:829 0676 Raw services enum returned 262 services
20:33:34:845 0676
20:33:34:845 0676 Scanning Kernel memory ...
20:33:34:845 0676 Devices to scan: 8
20:33:34:845 0676
20:33:34:845 0676 Driver Name: Disk
20:33:34:845 0676 IRP_MJ_CREATE : F583692C
20:33:34:845 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:845 0676 IRP_MJ_CLOSE : F583692C
20:33:34:845 0676 IRP_MJ_READ : F5830A7F
20:33:34:845 0676 IRP_MJ_WRITE : F5830A7F
20:33:34:845 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:845 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:845 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:845 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:845 0676 IRP_MJ_FLUSH_BUFFERS : F5832A2F
20:33:34:845 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:845 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:845 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:845 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:845 0676 IRP_MJ_DEVICE_CONTROL : F5832127
20:33:34:845 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5832AC3
20:33:34:845 0676 IRP_MJ_SHUTDOWN : F5832A2F
20:33:34:845 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:845 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:845 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:845 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:845 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:845 0676 IRP_MJ_POWER : F583345F
20:33:34:845 0676 IRP_MJ_SYSTEM_CONTROL : F58364FE
20:33:34:845 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:845 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:845 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:860 0676 C:\WINNT\system32\DRIVERS\disk.sys - Verdict: 1
20:33:34:860 0676
20:33:34:860 0676 Driver Name: USBSTOR
20:33:34:860 0676 IRP_MJ_CREATE : F5B0C5CE
20:33:34:860 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:860 0676 IRP_MJ_CLOSE : F5B0C5CE
20:33:34:860 0676 IRP_MJ_READ : F5B0C5E8
20:33:34:860 0676 IRP_MJ_WRITE : F5B0C5E8
20:33:34:860 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:860 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:860 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:860 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:860 0676 IRP_MJ_FLUSH_BUFFERS : 804251C0
20:33:34:860 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:860 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:860 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:860 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:860 0676 IRP_MJ_DEVICE_CONTROL : F5B0BB5E
20:33:34:860 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5B08468
20:33:34:860 0676 IRP_MJ_SHUTDOWN : 804251C0
20:33:34:860 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:860 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:860 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:860 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:860 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:860 0676 IRP_MJ_POWER : F5B0A048
20:33:34:860 0676 IRP_MJ_SYSTEM_CONTROL : F5B0A1C2
20:33:34:860 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:860 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:860 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:876 0676 C:\WINNT\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:33:34:876 0676
20:33:34:876 0676 Driver Name: Disk
20:33:34:876 0676 IRP_MJ_CREATE : F583692C
20:33:34:876 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:876 0676 IRP_MJ_CLOSE : F583692C
20:33:34:876 0676 IRP_MJ_READ : F5830A7F
20:33:34:876 0676 IRP_MJ_WRITE : F5830A7F
20:33:34:876 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:876 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:876 0676 IRP_MJ_FLUSH_BUFFERS : F5832A2F
20:33:34:876 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_DEVICE_CONTROL : F5832127
20:33:34:876 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5832AC3
20:33:34:876 0676 IRP_MJ_SHUTDOWN : F5832A2F
20:33:34:876 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:876 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:876 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:876 0676 IRP_MJ_POWER : F583345F
20:33:34:876 0676 IRP_MJ_SYSTEM_CONTROL : F58364FE
20:33:34:876 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:876 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:876 0676 C:\WINNT\system32\DRIVERS\disk.sys - Verdict: 1
20:33:34:876 0676
20:33:34:876 0676 Driver Name: Disk
20:33:34:876 0676 IRP_MJ_CREATE : F583692C
20:33:34:876 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:876 0676 IRP_MJ_CLOSE : F583692C
20:33:34:876 0676 IRP_MJ_READ : F5830A7F
20:33:34:876 0676 IRP_MJ_WRITE : F5830A7F
20:33:34:876 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:876 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:876 0676 IRP_MJ_FLUSH_BUFFERS : F5832A2F
20:33:34:876 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_DEVICE_CONTROL : F5832127
20:33:34:876 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5832AC3
20:33:34:876 0676 IRP_MJ_SHUTDOWN : F5832A2F
20:33:34:876 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:876 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:876 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:876 0676 IRP_MJ_POWER : F583345F
20:33:34:876 0676 IRP_MJ_SYSTEM_CONTROL : F58364FE
20:33:34:876 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:876 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:876 0676 C:\WINNT\system32\DRIVERS\disk.sys - Verdict: 1
20:33:34:876 0676
20:33:34:876 0676 Driver Name: Disk
20:33:34:876 0676 IRP_MJ_CREATE : F583692C
20:33:34:876 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:876 0676 IRP_MJ_CLOSE : F583692C
20:33:34:876 0676 IRP_MJ_READ : F5830A7F
20:33:34:876 0676 IRP_MJ_WRITE : F5830A7F
20:33:34:876 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:876 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:876 0676 IRP_MJ_FLUSH_BUFFERS : F5832A2F
20:33:34:876 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:876 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_DEVICE_CONTROL : F5832127
20:33:34:876 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5832AC3
20:33:34:876 0676 IRP_MJ_SHUTDOWN : F5832A2F
20:33:34:876 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:876 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:876 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:876 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:876 0676 IRP_MJ_POWER : F583345F
20:33:34:876 0676 IRP_MJ_SYSTEM_CONTROL : F58364FE
20:33:34:876 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:876 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:876 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:891 0676 C:\WINNT\system32\DRIVERS\disk.sys - Verdict: 1
20:33:34:891 0676
20:33:34:891 0676 Driver Name: mraid2k
20:33:34:891 0676 IRP_MJ_CREATE : BFF70376
20:33:34:891 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:891 0676 IRP_MJ_CLOSE : BFF70376
20:33:34:891 0676 IRP_MJ_READ : 804251C0
20:33:34:891 0676 IRP_MJ_WRITE : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:891 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:891 0676 IRP_MJ_FLUSH_BUFFERS : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:891 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:891 0676 IRP_MJ_DEVICE_CONTROL : BFF70376
20:33:34:891 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : BFF70376
20:33:34:891 0676 IRP_MJ_SHUTDOWN : 804251C0
20:33:34:891 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:891 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:891 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:891 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:891 0676 IRP_MJ_POWER : BFF70376
20:33:34:891 0676 IRP_MJ_SYSTEM_CONTROL : BFF70376
20:33:34:891 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:891 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:891 0676 C:\WINNT\system32\drivers\mraid2k.sys - Verdict: 1
20:33:34:891 0676
20:33:34:891 0676 Driver Name: mraid2k
20:33:34:891 0676 IRP_MJ_CREATE : BFF70376
20:33:34:891 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:891 0676 IRP_MJ_CLOSE : BFF70376
20:33:34:891 0676 IRP_MJ_READ : 804251C0
20:33:34:891 0676 IRP_MJ_WRITE : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:891 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:891 0676 IRP_MJ_FLUSH_BUFFERS : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:891 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:891 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:891 0676 IRP_MJ_DEVICE_CONTROL : BFF70376
20:33:34:891 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : BFF70376
20:33:34:891 0676 IRP_MJ_SHUTDOWN : 804251C0
20:33:34:891 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:891 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:891 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:891 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:891 0676 IRP_MJ_POWER : BFF70376
20:33:34:891 0676 IRP_MJ_SYSTEM_CONTROL : BFF70376
20:33:34:891 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:891 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:891 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:907 0676 C:\WINNT\system32\drivers\mraid2k.sys - Verdict: 1
20:33:34:907 0676
20:33:34:907 0676 Driver Name: mraid2k
20:33:34:907 0676 IRP_MJ_CREATE : BFF70376
20:33:34:907 0676 IRP_MJ_CREATE_NAMED_PIPE : 804251C0
20:33:34:907 0676 IRP_MJ_CLOSE : BFF70376
20:33:34:907 0676 IRP_MJ_READ : 804251C0
20:33:34:907 0676 IRP_MJ_WRITE : 804251C0
20:33:34:907 0676 IRP_MJ_QUERY_INFORMATION : 804251C0
20:33:34:907 0676 IRP_MJ_SET_INFORMATION : 804251C0
20:33:34:907 0676 IRP_MJ_QUERY_EA : 804251C0
20:33:34:907 0676 IRP_MJ_SET_EA : 804251C0
20:33:34:907 0676 IRP_MJ_FLUSH_BUFFERS : 804251C0
20:33:34:907 0676 IRP_MJ_QUERY_VOLUME_INFORMATION : 804251C0
20:33:34:907 0676 IRP_MJ_SET_VOLUME_INFORMATION : 804251C0
20:33:34:907 0676 IRP_MJ_DIRECTORY_CONTROL : 804251C0
20:33:34:907 0676 IRP_MJ_FILE_SYSTEM_CONTROL : 804251C0
20:33:34:907 0676 IRP_MJ_DEVICE_CONTROL : BFF70376
20:33:34:907 0676 IRP_MJ_INTERNAL_DEVICE_CONTROL : BFF70376
20:33:34:907 0676 IRP_MJ_SHUTDOWN : 804251C0
20:33:34:907 0676 IRP_MJ_LOCK_CONTROL : 804251C0
20:33:34:907 0676 IRP_MJ_CLEANUP : 804251C0
20:33:34:907 0676 IRP_MJ_CREATE_MAILSLOT : 804251C0
20:33:34:907 0676 IRP_MJ_QUERY_SECURITY : 804251C0
20:33:34:907 0676 IRP_MJ_SET_SECURITY : 804251C0
20:33:34:907 0676 IRP_MJ_POWER : BFF70376
20:33:34:907 0676 IRP_MJ_SYSTEM_CONTROL : BFF70376
20:33:34:907 0676 IRP_MJ_DEVICE_CHANGE : 804251C0
20:33:34:907 0676 IRP_MJ_QUERY_QUOTA : 804251C0
20:33:34:907 0676 IRP_MJ_SET_QUOTA : 804251C0
20:33:34:907 0676 C:\WINNT\system32\drivers\mraid2k.sys - Verdict: 1
20:33:34:907 0676
20:33:34:907 0676 Completed
20:33:34:907 0676
20:33:34:907 0676 Results:
20:33:34:907 0676 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:33:34:907 0676 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:33:34:907 0676 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:33:34:907 0676
20:33:34:907 0676 fclose_ex: Trying to close file C:\WINNT\system32\config\system
20:33:34:907 0676 fclose_ex: Trying to close file C:\WINNT\system32\config\software
20:33:34:907 0676 KLMD(ARK) unloaded successfully
  • 0

#12
RKinner
Posted 08 May 2010 - 06:57 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
OK. You are definitely talking to google. Turn off the proxy. Clean out the hosts file.
Go to google.com and do one of your searches that is being redirected.

Note the domain name (on the google page) in the url "somename.somename.com" (drop any http://www and anything that comes after the .com. Also note the domain name of the bad link. "bad.bad.tv" or whatever.

Open a command window and

ipconfig  /flushdns 

nslookup  somename.somename.com  >  junk.txt

nslookup  bad.bad.tv  >>  junk.txt

tracert  -d  somename.somename.com  >> junk.txt

tracert  -d  bad.bad.tv  >>  junk.txt

notepad junk.txt

  • 0

#13
KevinMajere
Posted 08 May 2010 - 07:10 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Not sure I understand you. I google search lawn care wilmington, nc. My company freedom lawns shows at the top, it's URL is www.freedomlawnsnc.com, but it gets redirected to www.results5.google.com... also ty for your time on this!
  • 0

#14
KevinMajere
Posted 08 May 2010 - 07:18 PM

KevinMajere

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here is how I did the script... but it's not creating the txt file, I cleared the proxy, and reset the host file to default...

ipconfig /flushdns

nslookup freedomlawnsnc.freedomlawnsnc.com > junk.txt

nslookup results5.google.com >> junk.txt

tracert -d freedomlawnsnc.freedomlawnsnc.com >> junk.txt

tracert -d results5.google.com >> junk.txt

notepad junk.txt

Edited by KevinMajere, 08 May 2010 - 07:19 PM.

  • 0

#15
RKinner
Posted 08 May 2010 - 07:44 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Meant for you to open a command window. Start, Run, cmd, OK then type the stuff in the code box. I see I wasn't clear with the somename.somename.com bit either. We google for your company:
and get:

"Freedom Lawns : Professional Lawn Care out of Wilmington and ...
Lawn Care Profesionals serving New Hanover and Pender County. Learn how you can get a thicker, greener, more weed free lawn.
www.freedomlawnsnc.com/ - Cached - Similar"

Normally if you hold the cursor over the top line (Freedom Lawns : Professional Lawn Care out of Wilmington and ) which is in blue at the bottom of IE it will tell you the URL of the result. It will normally point to the same as the
information on the last line of the search result. In this case: www.freedomlawnsnc.com. If you right click on the top line and select Copy Link Location then paste it into a notepad you will get:

http://www.google.co...usqp0i8Q6QubrUw.

The important thing is the URL=http%3A%2F%2Fwww.freedomlawnsnc.com. The %3A and %2A are just alternative ways of saying : and /. I just want you to pull out the freedomlawnsnc.com

and do:

nslookup freedomlawnsnc.com >> junk.txt

Then click on the blue link and look at the address that it actually goes to. When I click on it it goes to http://www.freedomlawnsnc.com/ so the part I want is just freedomlawnsnc.com so the next line would in this case be the same since it was not redirected.

Another thing I need to know: If you type in 66.235.111.70 in the url box on your IE does it go to your website?

66.235.111.70 is the result from nslookup freedomlawnsnc.com

If you type in freedomlawnsnc.com does it go where it should?

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP