Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TDL3 Alureon rootkit variant

Started by xor0 , Jul 29 2010 01:12 PM

  • This topic is locked This topic is locked

#1
xor0
Posted 29 July 2010 - 01:12 PM

xor0

    Member

  • Member
  • PipPip
  • 24 posts
Hitman 3.5 shows a "Possible variant of the TDL3 (alias Alureon) rootkit detected" message but can't remove it.

eSage TDSS remover found a hidden driver but couldn't remove it.

Everything else I tried (including TDSSKiller) couldn't see anything.

It prevents MSE updates and booting into safe mode, as well as all the secondary infections (antimalware, search redirects etc)

Any help much appreciated sad.gif


Did all suggested steps.

logs:

I ran MBAM a couple times before coming here, including those logs


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4328

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/19/2010 9:00:48 PM
mbam-log-2010-07-19 (21-00-48).txt

Scan type: Quick scan
Objects scanned: 173812
Time elapsed: 1 hour(s), 16 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e6b02e22-80a8-472a-88f2-3d7db18ba26e} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{e6b02e22-80a8-472a-88f2-3d7db18ba26e} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e6b02e22-80a8-472a-88f2-3d7db18ba26e} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6b02e22-80a8-472a-88f2-3d7db18ba26e} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1225d3-edb1-499b-bf2a-729239f695bb} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ff1225d3-edb1-499b-bf2a-729239f695bb} (Adware.AdRotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\070700setup.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibflbrxy (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibflbrxy (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\h3yb0y1 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\paul\Application Data\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Application Data\Sky-Banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Application Data\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Application Data\Street-Ads\sta (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\paul\Application Data\5164C7C72C869D4F087B706C0A24CC44\070700Setup.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dzsip.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qzsip.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-795874254-138367639-1861382812-1005\Dc142\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Local Settings\Temp\c4bbea93.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Local Settings\Temp\6D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Local Settings\Temp\eblmw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Local Settings\Temp\hoagfk.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\6F.tmp (Rootkit.Dropper) -> Delete on reboot.
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\paul\Local Settings\Application Data\qhbcveiwv\ycidarftssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\awf\LSASS.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\awf\system.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\awf\serv-u.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mzsip.dll (Adware.AdRotator) -> Quarantined and deleted successfully.






Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4328

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 7:03:44 PM
mbam-log-2010-07-24 (19-03-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 399593
Time elapsed: 4 hour(s), 1 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esrensbl (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\tcbxvalpb\qviuiqftssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.








Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4364

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/28/2010 6:26:07 PM
mbam-log-2010-07-28 (18-26-07).txt

Scan type: Quick scan
Objects scanned: 145015
Time elapsed: 10 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-29 00:51:49
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\paul\LOCALS~1\Temp\pxtdapob.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!IoRegisterPlugPlayNotification 8058A15A 8 Bytes PUSH B7F5D370; RET rk_remover.sys (TDSS Remover Kernel Driver/eSage Lab)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB67FB380, 0x566445, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA98A5300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8398300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[576] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[576] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1256] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1256] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----






OTL logfile created on: 7/29/2010 1:44:28 AM - Run 3
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\paul\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3070 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 100.62 Gb Free Space | 43.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PCB
Current User Name: paul
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/29 01:02:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\paul\Desktop\OTL.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/05/23 21:38:00 | 000,015,688 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Silverlight\4.0.50524.0\agcp.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/10/07 06:04:44 | 003,872,552 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer.exe
PRC - [2009/10/07 05:50:26 | 000,185,640 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/12 21:43:30 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2007/10/17 16:13:22 | 000,389,120 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2006/05/23 21:05:45 | 000,730,112 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTXFISPI.EXE
PRC - [2005/11/04 18:07:56 | 000,049,152 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe


========== Modules (SafeList) ==========

MOD - [2010/07/29 01:02:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\paul\Desktop\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe -- (ccSchedulerSVC)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/10/07 05:50:26 | 000,185,640 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe -- (TeamViewer4)
SRV - [2007/10/17 16:13:22 | 000,389,120 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Senfilt.sys -- (SenFiltService)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\PNDIS5.SYS -- (PNDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\AEAudio.sys -- (AEAudio)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\adidts.sys -- (ADIDTSFiltService)
DRV - [2010/07/26 22:32:37 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2010/04/03 15:55:31 | 010,232,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/12/30 12:20:54 | 000,027,064 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\revoflt.sys -- (Revoflt)
DRV - [2009/09/07 14:11:48 | 000,138,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2009/08/22 11:25:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys -- (RivaTuner32)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/13 11:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/12 23:01:52 | 000,095,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2006/11/18 16:20:47 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2006/11/18 16:20:46 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2006/11/10 06:08:50 | 000,024,064 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2006/06/16 00:30:16 | 000,176,128 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2006/05/23 20:48:07 | 000,061,952 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2006/05/23 20:48:02 | 000,158,720 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2006/05/23 20:47:44 | 001,170,432 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2006/05/23 20:46:58 | 000,548,352 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2006/05/23 20:46:32 | 000,160,768 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2006/05/23 20:46:02 | 000,536,576 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2006/05/23 20:45:48 | 000,087,552 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2006/05/23 20:45:42 | 000,317,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2006/05/23 20:41:38 | 000,115,200 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2006/05/23 20:41:22 | 000,269,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2006/05/23 20:41:07 | 000,007,168 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2006/05/23 20:41:04 | 000,499,584 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2006/05/23 20:40:21 | 001,110,016 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2006/05/23 20:38:30 | 000,116,224 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2006/05/23 20:38:08 | 000,143,872 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2006/05/23 20:38:01 | 000,078,336 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2006/05/23 20:37:44 | 000,502,272 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2006/05/02 02:12:40 | 000,229,888 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\adihdaud.sys -- (ADIHdAudAddService)
DRV - [2006/03/31 04:39:54 | 000,013,532 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)
DRV - [2006/03/24 04:51:00 | 000,244,608 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/11/10 02:06:04 | 000,340,704 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/06/15 07:55:53 | 000,004,096 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2004/08/12 14:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/04 05:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 05:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/03 15:31:20 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
DRV - [1996/04/03 12:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Prev Search Page = http://red.clientapp...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://hotmail.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.0
FF - prefs.js..extensions.enabledItems: {A5AA4E40-5504-4A80-92F2-4BDA01936BEA}:1.9.1


FF - HKLM\software\mozilla\Firefox\Extensions\\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA}: C:\Documents and Settings\paul\Local Settings\Application Data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA} [2010/07/19 19:06:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/12 22:26:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/26 14:15:21 | 000,000,000 | ---D | M]

[2009/03/02 14:33:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Mozilla\Extensions
[2009/03/02 14:33:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\paul\Application Data\Mozilla\Extensions\{ea278cf8-93cd-484f-b951-57360482d33a}
[2010/07/28 18:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\1mn9conl.default\extensions
[2010/07/19 18:20:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\1mn9conl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/28 18:14:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/26 13:15:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/08/22 16:45:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2007/10/19 14:02:08 | 000,019,104 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2007/10/19 14:02:08 | 000,105,632 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2007/10/19 14:02:07 | 000,057,504 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2010/07/26 13:14:52 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/10/21 11:25:41 | 000,024,576 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npgcplug.dll
[2008/04/28 16:13:00 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2009/10/12 19:18:58 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2009/03/30 17:13:54 | 000,098,304 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npraclient.dll
[2005/04/27 13:10:49 | 000,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AudioDrvEmulator] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: msn.com ([adcenter] https in Trusted sites)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.7.109.cab (CDownloadCtrl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15035/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/10 07:36:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\Shell - "" = AutoRun
O33 - MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\Shell - "" = AutoRun
O33 - MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69537929998893056)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/29 01:02:27 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\paul\Desktop\OTL.exe
[2010/07/28 18:10:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/28 18:09:23 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/26 21:51:14 | 000,052,736 | ---- | C] (eSage Lab) -- C:\WINDOWS\System32\drivers\rk_remover.sys
[2010/07/26 19:21:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/07/26 19:05:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Local Settings\Application Data\VS Revo Group
[2010/07/26 19:05:03 | 000,027,064 | ---- | C] (VS Revo Group) -- C:\WINDOWS\System32\drivers\revoflt.sys
[2010/07/26 19:05:01 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/07/26 19:00:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2010/07/26 17:34:49 | 000,000,000 | ---D | C] -- C:\8e184e99c5078efe49dcd2d10cc9dc
[2010/07/26 13:15:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/26 13:15:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/26 13:14:46 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/26 12:25:12 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/07/23 22:29:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\tcbxvalpb
[2010/07/23 22:28:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/07/23 22:28:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/07/23 10:25:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Desktop\utils
[2010/07/22 11:55:34 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/07/22 11:55:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/07/22 11:50:24 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/07/22 11:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\My Documents\Simply Super Software
[2010/07/22 11:15:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/07/22 11:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Application Data\Simply Super Software
[2010/07/22 11:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/07/22 01:29:50 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/07/22 01:29:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Application Data\IObit
[2010/07/22 00:29:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\paul\Recent
[2010/07/22 00:27:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/07/21 17:57:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2010/07/21 17:57:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/07/21 04:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/21 04:48:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/19 19:40:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Application Data\Malwarebytes
[2010/07/19 19:40:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/19 19:39:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/19 19:39:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/19 19:39:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/19 19:17:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/19 19:17:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/19 19:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Local Settings\Application Data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA}
[2010/07/19 19:05:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Local Settings\Application Data\qhbcveiwv
[2010/07/19 19:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Application Data\5164C7C72C869D4F087B706C0A24CC44
[2010/07/18 11:00:56 | 000,201,968 | ---- | C] (CA, Inc.) -- C:\WINDOWS\System32\Isafprod.dll
[2010/07/18 11:00:56 | 000,128,240 | ---- | C] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\Isafeif.dll
[2010/07/18 11:00:56 | 000,095,472 | ---- | C] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\Vetredir.dll
[2010/07/16 16:33:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\My Documents\Downloads
[2010/07/16 15:43:35 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2010/07/16 15:31:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Application Data\uTorrent
[2010/05/24 21:02:16 | 000,000,000 | ---D | C] -- C:\Program Files\UFOAI-2.3-dev
[2010/05/07 19:27:12 | 000,061,440 | ---- | C] (Khronos Group) -- C:\WINDOWS\System32\OpenCL.dll
[2010/05/07 18:55:04 | 000,000,000 | ---D | C] -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
[2006/08/17 11:32:46 | 000,033,792 | R--- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 90 Days ==========

[2010/07/29 01:13:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/07/29 01:07:48 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\GVCQOA.job
[2010/07/29 01:07:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/29 01:07:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/29 01:02:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\paul\Desktop\OTL.exe
[2010/07/28 18:00:27 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/28 17:58:47 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\paul\NTUSER.DAT
[2010/07/28 17:58:46 | 000,064,900 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx
[2010/07/28 17:58:46 | 000,053,588 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx
[2010/07/28 17:58:46 | 000,053,588 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx
[2010/07/28 17:58:46 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/07/28 17:58:46 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/07/27 20:32:28 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/07/27 16:59:42 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/07/27 11:35:05 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/07/27 11:32:32 | 014,467,268 | -H-- | M] () -- C:\Documents and Settings\paul\Local Settings\Application Data\IconCache.db
[2010/07/26 22:32:37 | 000,052,736 | ---- | M] (eSage Lab) -- C:\WINDOWS\System32\drivers\rk_remover.sys
[2010/07/26 20:38:39 | 000,988,300 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2010/07/26 20:32:05 | 000,113,194 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_203201.reg
[2010/07/26 19:22:39 | 000,042,768 | ---- | M] () -- C:\Documents and Settings\paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/26 18:55:45 | 000,000,868 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_185542.reg
[2010/07/26 18:49:49 | 000,005,568 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_184945.reg
[2010/07/26 18:31:58 | 001,657,551 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2010/07/26 18:31:58 | 000,000,345 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2010/07/26 18:31:58 | 000,000,345 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2010/07/26 18:31:58 | 000,000,289 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2010/07/26 18:31:58 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2010/07/26 18:31:58 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2010/07/26 18:31:58 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2010/07/26 18:31:58 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2010/07/26 18:31:58 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2010/07/26 18:31:58 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
[2010/07/26 18:31:58 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
[2010/07/26 18:31:58 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2010/07/26 18:31:58 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2010/07/26 18:31:58 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2010/07/26 18:31:58 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2010/07/26 18:31:58 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2010/07/26 14:33:09 | 000,000,568 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_143306.reg
[2010/07/26 14:02:38 | 000,000,214 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/07/26 13:35:38 | 000,006,140 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_133532.reg
[2010/07/26 13:05:10 | 000,000,067 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/24 19:12:24 | 000,000,464 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100724_191158.reg
[2010/07/23 22:28:35 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/22 09:57:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Mjoda.bin
[2010/07/22 09:57:04 | 000,005,260 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100722_095656.reg
[2010/07/22 09:49:44 | 000,192,976 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/22 01:48:01 | 000,501,106 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/22 01:48:01 | 000,441,014 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/22 01:48:01 | 000,071,206 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/22 01:16:18 | 000,024,232 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100722_011614.reg
[2010/07/22 00:36:00 | 000,395,128 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\cc_20100722_003520.reg
[2010/07/21 18:05:24 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
[2010/07/19 21:27:03 | 000,012,540 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/07/19 19:06:46 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ygexamo.dat
[2010/07/19 19:05:17 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
[2010/07/19 10:27:53 | 000,024,084 | ---- | M] () -- C:\Documents and Settings\paul\Desktop\paper.odt
[2010/07/18 20:02:04 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/18 10:58:09 | 000,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2010/07/16 15:43:35 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2010/06/08 16:23:35 | 000,465,508 | ---- | M] () -- C:\Documents and Settings\paul\Desktop\Ahissar-Nahum-PhilTrans.pdf
[2010/06/08 16:18:34 | 001,647,290 | ---- | M] () -- C:\Documents and Settings\paul\Desktop\Ahissar-Nature-1997.pdf
[2010/06/05 14:56:08 | 001,323,008 | ---- | M] () -- C:\Documents and Settings\paul\My Documents\Impossiblepictures.pps
[2010/06/02 11:10:19 | 000,136,979 | ---- | M] () -- C:\Documents and Settings\paul\Desktop\role of attn in vision - maunsell.pdf
[2010/05/24 21:03:53 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\paul\Desktop\UFOAlien Invasion.lnk
[2010/05/04 17:41:14 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\paul\.gtk-bookmarks

========== Files Created - No Company Name ==========

[2010/07/28 18:34:37 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\paul\Desktop\gmer.exe
[2010/07/26 20:32:03 | 000,113,194 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_203201.reg
[2010/07/26 19:27:11 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/07/26 18:55:44 | 000,000,868 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_185542.reg
[2010/07/26 18:49:47 | 000,005,568 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_184945.reg
[2010/07/26 14:33:08 | 000,000,568 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_143306.reg
[2010/07/26 13:35:36 | 000,006,140 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100726_133532.reg
[2010/07/26 13:05:10 | 000,000,067 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/07/24 19:12:01 | 000,000,464 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100724_191158.reg
[2010/07/22 12:32:25 | 000,000,214 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010/07/22 11:56:06 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/07/22 11:15:31 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/07/22 11:15:31 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/07/22 11:15:31 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/07/22 11:15:30 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/07/22 09:56:58 | 000,005,260 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100722_095656.reg
[2010/07/22 01:16:16 | 000,024,232 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100722_011614.reg
[2010/07/22 00:35:25 | 000,395,128 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\cc_20100722_003520.reg
[2010/07/21 18:05:24 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk
[2010/07/19 21:02:55 | 000,988,300 | ---- | C] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[2010/07/19 19:06:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ygexamo.dat
[2010/07/19 19:06:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Mjoda.bin
[2010/07/19 19:05:16 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010/07/19 17:03:21 | 000,000,345 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k2
[2010/07/19 17:03:21 | 000,000,345 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k0
[2010/07/19 17:03:21 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k7
[2010/07/19 17:03:21 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k6
[2010/07/19 17:03:21 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k5
[2010/07/19 17:03:21 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k4
[2010/07/19 17:03:21 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k3
[2010/07/19 17:03:21 | 000,000,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxzone.u2k1
[2010/07/19 16:59:35 | 001,657,551 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k0
[2010/07/19 16:59:35 | 000,000,289 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k2
[2010/07/19 16:59:35 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k7
[2010/07/19 16:59:35 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k6
[2010/07/19 16:59:35 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k5
[2010/07/19 16:59:35 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k4
[2010/07/19 16:59:35 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k3
[2010/07/19 16:59:35 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\drivers\kmxcfg.u2k1
[2010/07/16 15:43:35 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2010/06/08 16:23:35 | 000,465,508 | ---- | C] () -- C:\Documents and Settings\paul\Desktop\Ahissar-Nahum-PhilTrans.pdf
[2010/06/08 16:18:34 | 001,647,290 | ---- | C] () -- C:\Documents and Settings\paul\Desktop\Ahissar-Nature-1997.pdf
[2010/06/05 14:56:10 | 001,323,008 | ---- | C] () -- C:\Documents and Settings\paul\My Documents\Impossiblepictures.pps
[2010/06/02 11:10:19 | 000,136,979 | ---- | C] () -- C:\Documents and Settings\paul\Desktop\role of attn in vision - maunsell.pdf
[2010/05/23 22:07:40 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\paul\Desktop\UFOAlien Invasion.lnk
[2010/05/07 19:27:10 | 002,183,470 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2008/04/05 12:55:04 | 000,086,445 | R--- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/04/05 12:55:04 | 000,000,191 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/03/12 04:16:58 | 000,000,029 | ---- | C] () -- C:\WINDOWS\sfbm.INI
[2007/11/05 12:38:44 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2007/10/19 14:02:26 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/10/15 17:19:26 | 000,000,006 | ---- | C] () -- C:\WINDOWS\System32\mkghj.dll
[2007/07/03 03:22:35 | 000,138,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/03/27 15:24:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/11/18 16:20:46 | 000,271,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2006/11/18 16:20:46 | 000,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2006/11/10 06:08:50 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATITool.sys
[2006/10/25 14:00:15 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/10/25 13:52:04 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2006/10/25 13:23:44 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2006/10/24 19:16:56 | 000,023,885 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/10/24 19:16:48 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/10/11 12:33:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/10 10:26:20 | 000,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/10/10 10:25:46 | 000,000,636 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/23 22:00:48 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2005/07/26 14:13:12 | 000,000,214 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/06/07 06:10:50 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL
[1997/06/13 19:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2008/01/21 13:14:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Aliasworlds
[2007/07/03 16:59:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2007/05/16 14:08:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bryxen Software
[2010/07/26 18:30:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2010/07/26 19:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2009/03/04 20:13:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/03/12 19:16:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CCP
[2007/12/26 19:20:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EA
[2010/01/23 13:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2008/01/05 12:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2010/07/26 11:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2008/01/06 12:59:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2007/12/26 22:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2009/10/10 14:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2008/02/02 21:33:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2009/10/12 19:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2009/08/22 16:01:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2010/07/22 11:15:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/07/26 11:27:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/01/30 13:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/07/19 21:00:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\5164C7C72C869D4F087B706C0A24CC44
[2008/01/21 19:33:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\alawar
[2007/12/30 12:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\AlwaysNeat
[2010/07/22 00:30:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Azureus
[2010/01/18 15:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Camel101
[2007/12/26 19:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\EA
[2008/03/08 10:43:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\EVEMon
[2007/12/26 20:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Eyeblaster
[2008/01/21 13:36:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\funkitron
[2008/02/02 21:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Gaijin Ent
[2010/07/22 01:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\GameRanger
[2007/10/15 15:18:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\GetRightToGo
[2009/03/14 18:06:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\HexWar Launcher
[2008/01/11 21:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Hulabee
[2010/07/22 01:29:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\IObit
[2010/07/22 01:23:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Itykzo
[2008/01/21 13:44:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Jamdat
[2006/10/25 13:24:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Leadertech
[2008/01/12 18:23:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Mind Control Software
[2009/02/08 22:48:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Mount&Blade
[2009/10/17 12:59:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\OpenOffice.org
[2006/10/28 12:38:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Opera
[2009/01/17 12:55:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\PACE Anti-Piracy
[2008/02/02 21:38:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\PlayFirst
[2010/07/22 11:15:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Simply Super Software
[2010/05/22 23:54:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Spore
[2007/12/15 13:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Super-Cow
[2008/01/04 00:59:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\SystemRequirementsLab
[2010/03/03 13:41:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\TeamViewer
[2006/10/25 15:44:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\TextPad
[2009/03/02 00:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\The Creative Assembly
[2009/10/12 22:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Turbine
[2010/05/23 22:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\UFOAI
[2010/07/22 00:19:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\uTorrent
[2007/10/19 14:02:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\webex
[2008/03/23 16:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\paul\Application Data\Wildfire
[2010/07/29 01:07:48 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\Tasks\GVCQOA.job
[2010/07/29 01:13:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< >

< %SYSTEMDRIVE%\*.* >
[2006/10/10 07:36:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/12/01 12:52:04 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2006/10/10 07:36:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/06/01 12:32:31 | 000,000,102 | ---- | M] () -- C:\DownloadLog.txt
[2006/10/10 07:36:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2006/10/10 07:36:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/01/07 16:30:47 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/29 01:07:20 | 3219,128,320 | -HS- | M] () -- C:\pagefile.sys
[2007/06/18 12:35:14 | 000,000,004 | ---- | M] () -- C:\results.bin
[2010/07/24 11:28:51 | 000,000,267 | ---- | M] () -- C:\rkill.log
[2007/04/12 19:45:12 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2007/05/01 22:34:56 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2007/05/08 19:48:32 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2007/05/08 19:53:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2007/05/08 21:28:33 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2007/05/08 21:52:23 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2007/05/12 18:31:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2007/05/15 20:30:03 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2007/04/12 19:45:12 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2007/05/01 22:34:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2007/05/08 19:48:32 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2007/05/08 19:53:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2007/05/08 21:28:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2007/05/08 21:52:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2007/05/12 18:31:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2007/05/15 20:30:03 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2010/07/26 16:19:44 | 000,001,954 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_26.07.2010_16.19.41_log.txt
[2010/07/27 14:56:02 | 000,040,416 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_27.07.2010_14.53.05_log.txt
[2007/05/26 01:05:17 | 000,020,225 | ---- | M] () -- C:\TomeWizard070526005112.tom
[2007/05/26 01:05:17 | 000,175,109 | ---- | M] () -- C:\TomeWizard0705260051121.rsa
[2007/05/26 17:01:09 | 000,043,242 | ---- | M] () -- C:\TomeWizard070526162926.tom
[2007/05/26 17:01:10 | 000,260,513 | ---- | M] () -- C:\TomeWizard0705261629261.rsa
[2010/07/19 19:05:17 | 000,000,150 | ---- | M] () -- C:\zrpt.xml

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/10/10 07:35:51 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2007/04/15 21:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD8Z.DLL
[2007/04/15 21:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP8Z.DLL
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2008/01/12 10:54:29 | 000,802,816 | ---- | M] (Sprout Games, LLC) -- C:\WINDOWS\feedingfrenzy.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2005/09/28 01:56:46 | 000,185,856 | ---- | M] () -- C:\Program Files\7za.exe
[2007/10/21 11:25:40 | 000,774,144 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2006/08/27 07:38:28 | 001,015,973 | RHS- | M] () -- C:\Program Files\serial.tde
[2006/08/27 07:38:28 | 001,015,973 | RHS- | M] () -- C:\Program Files\serial.zip
[2006/08/27 07:19:51 | 000,056,239 | ---- | M] () -- C:\Program Files\svchosts.tbe
[2006/10/07 12:54:40 | 000,390,023 | RHS- | M] () -- C:\Program Files\wunauclt.tbe
[2006/10/07 12:54:40 | 000,390,023 | RHS- | M] () -- C:\Program Files\wunauclt.zip

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/07/29 01:07:48 | 000,000,308 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\GVCQOA.job

< %systemroot%\System32\config\*.sav >
[2006/10/10 03:30:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/10/10 03:30:10 | 000,643,072 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/10/10 03:30:10 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-22 08:53:11

========== Alternate Data Streams ==========

@Alternate Data Stream - 160 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6E643A51
@Alternate Data Stream - 1227 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:PlPfloqdhL6NP7DYYQR
@Alternate Data Stream - 1225 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:V4rXnZPM6mxDAhlUJGrk
@Alternate Data Stream - 1216 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:iYHwky9sirkIrg7Om26BQ89kKrmUu
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FEE5129B
@Alternate Data Stream - 1153 bytes -> C:\Program Files\Common Files\System:bQkBaPqhFDXbiCtVfSQXDSFJi
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C425C9C0
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 1013 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:pRaIg1P4H85poW0Y1I
< End of report >


sorry screwed up, no extras file...
  • 0

Advertisements

#2
SweetTech
Posted 29 July 2010 - 01:20 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 3 days) and you need an explanation. If that's the case, just send me a message to me on here. :)
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Do you have any idea what these files are for?

C:\Program Files\serial.tde
C:\Program Files\serial.zip
C:\Program Files\svchosts.tbe
C:\Program Files\wunauclt.tbe
C:\Program Files\wunauclt.zip

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
:OTL
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O33 - MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\Shell - "" = AutoRun
O33 - MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\Shell - "" = AutoRun
O33 - MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
[2010/07/23 22:29:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\tcbxvalpb
[2010/07/19 19:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Local Settings\Application Data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA}
[2010/07/19 19:05:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Local Settings\Application Data\qhbcveiwv
[2010/07/19 19:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\paul\Application Data\5164C7C72C869D4F087B706C0A24CC44
[2010/07/29 01:13:22 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/07/29 01:07:48 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\GVCQOA.job
[2010/07/22 09:57:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Mjoda.bin
[2010/07/19 19:06:46 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ygexamo.dat
[2010/07/19 19:05:17 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
@Alternate Data Stream - 160 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6E643A51
@Alternate Data Stream - 1227 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:PlPfloqdhL6NP7DYYQR
@Alternate Data Stream - 1225 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:V4rXnZPM6mxDAhlUJGrk
@Alternate Data Stream - 1216 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:iYHwky9sirkIrg7Om26BQ89kKrmUu
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FEE5129B
@Alternate Data Stream - 1153 bytes -> C:\Program Files\Common Files\System:bQkBaPqhFDXbiCtVfSQXDSFJi
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C425C9C0
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 1013 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:pRaIg1P4H85poW0Y1I

:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Please include the OTL fix log, as well as an update on how things are currently running.
  • 0

#3
xor0
Posted 29 July 2010 - 01:50 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks for the fast reply!

Don't recognize those files, except MSE reports quarantining Win32/Pasur!rts on 7/26/2010 which was resident in C:\Program Files\wunauclt.exe

Ran OTL ok, report follows.

Still getting search redirects and MSE can't update.


All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{855F3B16-6D32-4FE6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4FE6-8A56-BBB695989046}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{029d621c-6464-11db-87e9-0018f300afd6}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{029d621c-6464-11db-87e9-0018f300afd6}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{029d621c-6464-11db-87e9-0018f300afd6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{029d621c-6464-11db-87e9-0018f300afd6}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{894dc727-09bb-11de-88fb-0015af044f4c}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{894dc727-09bb-11de-88fb-0015af044f4c}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{894dc727-09bb-11de-88fb-0015af044f4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{894dc727-09bb-11de-88fb-0015af044f4c}\ not found.
File E:\LaunchU3.exe not found.
C:\Documents and Settings\LocalService\Local Settings\Application Data\tcbxvalpb folder moved successfully.
C:\Documents and Settings\paul\Local Settings\Application Data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA}\chrome\content folder moved successfully.
C:\Documents and Settings\paul\Local Settings\Application Data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA}\chrome folder moved successfully.
C:\Documents and Settings\paul\Local Settings\Application Data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA} folder moved successfully.
C:\Documents and Settings\paul\Local Settings\Application Data\qhbcveiwv folder moved successfully.
C:\Documents and Settings\paul\Application Data\5164C7C72C869D4F087B706C0A24CC44 folder moved successfully.
C:\WINDOWS\tasks\MP Scheduled Scan.job moved successfully.
C:\WINDOWS\tasks\GVCQOA.job moved successfully.
C:\WINDOWS\Mjoda.bin moved successfully.
C:\WINDOWS\Ygexamo.dat moved successfully.
C:\zrpt.xml moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6E643A51 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\Microsoft:PlPfloqdhL6NP7DYYQR deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\Microsoft:V4rXnZPM6mxDAhlUJGrk deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\Microsoft:iYHwky9sirkIrg7Om26BQ89kKrmUu deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FEE5129B deleted successfully.
ADS C:\Program Files\Common Files\System:bQkBaPqhFDXbiCtVfSQXDSFJi deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C425C9C0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\Microsoft:pRaIg1P4H85poW0Y1I deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Blue
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 11534 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: others
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: paul
->Temp folder emptied: 1774 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 56761526 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 2078 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1614878 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1526152 bytes

Total Files Cleaned = 57.00 mb


[EMPTYFLASH]

User: All Users

User: Blue
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: others
->Flash cache emptied: 0 bytes

User: paul
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07292010_123306

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#4
SweetTech
Posted 29 July 2010 - 01:56 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Okay. We will remove them then.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
:Files
C:\Program Files\serial.tde
C:\Program Files\serial.zip
C:\Program Files\svchosts.tbe
C:\Program Files\wunauclt.tbe
C:\Program Files\wunauclt.zip
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Please post the contents of these logs in your next reply:

[2010/07/26 16:19:44 | 000,001,954 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_26.07.2010_16.19.41_log.txt
[2010/07/27 14:56:02 | 000,040,416 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_27.07.2010_14.53.05_log.txt
  • 0

#5
xor0
Posted 29 July 2010 - 02:19 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
OK here's the logs:

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Program Files\serial.tde moved successfully.
C:\Program Files\serial.zip moved successfully.
C:\Program Files\svchosts.tbe moved successfully.
C:\Program Files\wunauclt.tbe moved successfully.
C:\Program Files\wunauclt.zip moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Blue
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 3428 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: others
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: paul
->Temp folder emptied: 3365 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 31132010 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1368 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3812 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 30.00 mb


[EMPTYFLASH]

User: All Users

User: Blue
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: others
->Flash cache emptied: 0 bytes

User: paul
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07292010_130518

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



2010/07/26 16:19:41.0312 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/26 16:19:41.0312 ================================================================================
2010/07/26 16:19:41.0312 SystemInfo:
2010/07/26 16:19:41.0312
2010/07/26 16:19:41.0312 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/26 16:19:41.0312 Product type: Workstation
2010/07/26 16:19:41.0312 ComputerName: PCB
2010/07/26 16:19:41.0312 UserName: paul
2010/07/26 16:19:41.0312 Windows directory: C:\WINDOWS
2010/07/26 16:19:41.0312 System windows directory: C:\WINDOWS
2010/07/26 16:19:41.0312 Processor architecture: Intel x86
2010/07/26 16:19:41.0312 Number of processors: 2
2010/07/26 16:19:41.0312 Page size: 0x1000
2010/07/26 16:19:41.0312 Boot type: Normal boot
2010/07/26 16:19:41.0312 ================================================================================
2010/07/26 16:19:41.0500 Initialize success
2010/07/26 16:19:44.0000 Deinitialize success



2010/07/27 14:53:05.0031 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/27 14:53:05.0031 ================================================================================
2010/07/27 14:53:05.0031 SystemInfo:
2010/07/27 14:53:05.0031
2010/07/27 14:53:05.0031 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/27 14:53:05.0031 Product type: Workstation
2010/07/27 14:53:05.0031 ComputerName: PCB
2010/07/27 14:53:05.0031 UserName: paul
2010/07/27 14:53:05.0031 Windows directory: C:\WINDOWS
2010/07/27 14:53:05.0031 System windows directory: C:\WINDOWS
2010/07/27 14:53:05.0031 Processor architecture: Intel x86
2010/07/27 14:53:05.0031 Number of processors: 2
2010/07/27 14:53:05.0031 Page size: 0x1000
2010/07/27 14:53:05.0031 Boot type: Normal boot
2010/07/27 14:53:05.0031 ================================================================================
2010/07/27 14:53:05.0468 Initialize success
2010/07/27 14:53:14.0078 ================================================================================
2010/07/27 14:53:14.0078 Scan started
2010/07/27 14:53:14.0078 Mode: Manual;
2010/07/27 14:53:14.0078 ================================================================================
2010/07/27 14:53:16.0234 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/07/27 14:53:17.0640 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/07/27 14:53:20.0078 ADIHdAudAddService (8ce0a2c740e6e2683b4def4e485ea331) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/07/27 14:53:22.0140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/07/27 14:53:22.0843 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/07/27 14:53:23.0562 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/07/27 14:53:28.0031 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys
2010/07/27 14:53:28.0734 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/07/27 14:53:31.0453 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/07/27 14:53:32.0203 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/07/27 14:53:33.0562 ATITool (0e4bb35c5305099ac82053ac992e3e0e) C:\WINDOWS\system32\DRIVERS\ATITool.sys
2010/07/27 14:53:34.0312 atksgt (6e996cf8459a2594e0e9609d0e34d41f) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2010/07/27 14:53:35.0093 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/07/27 14:53:35.0796 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/07/27 14:53:36.0484 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/07/27 14:53:37.0187 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/07/27 14:53:38.0531 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/07/27 14:53:39.0250 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/07/27 14:53:40.0000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/07/27 14:53:41.0968 COMMONFX.DLL (2978318127965cbb9f66d45428aa3ddf) C:\WINDOWS\System32\COMMONFX.DLL
2010/07/27 14:53:43.0281 CT20XUT.DLL (c338a508efb295478f1ab4fabacedc15) C:\WINDOWS\System32\CT20XUT.DLL
2010/07/27 14:53:44.0078 ctac32k (04a43d6b00bf09b2d5cffcd3c5790741) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/07/27 14:53:44.0921 ctaud2k (f501738d0bf4de69f7307109efa0246c) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/07/27 14:53:45.0765 CTAUDFX.DLL (966b19e9f8136afbeec9a2f0cb1f2564) C:\WINDOWS\System32\CTAUDFX.DLL
2010/07/27 14:53:46.0671 ctdvda2k (c4333325d325efa668888d0d3177c6ff) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/07/27 14:53:47.0406 CTEAPSFX.DLL (bd4bf4ba0791e9c8fb68b317443d2064) C:\WINDOWS\System32\CTEAPSFX.DLL
2010/07/27 14:53:48.0125 CTEDSPFX.DLL (f00e438964b05bea2a3cdd496751e864) C:\WINDOWS\System32\CTEDSPFX.DLL
2010/07/27 14:53:48.0843 CTEDSPIO.DLL (cddcdc0b0b8684e15f4cdb841961bcd2) C:\WINDOWS\System32\CTEDSPIO.DLL
2010/07/27 14:53:50.0140 CTEDSPSY.DLL (667df8a4e1e13a27756555f785e09cbc) C:\WINDOWS\System32\CTEDSPSY.DLL
2010/07/27 14:53:50.0890 CTERFXFX.DLL (59eb967c665f649c5cf1e6007382f982) C:\WINDOWS\System32\CTERFXFX.DLL
2010/07/27 14:53:51.0812 CTEXFIFX.DLL (06f1fa6bb9584e7042d622546ca15cf7) C:\WINDOWS\System32\CTEXFIFX.DLL
2010/07/27 14:53:52.0437 CTHWIUT.DLL (96ead0d0472c620a5bc94dde1a6e1b53) C:\WINDOWS\System32\CTHWIUT.DLL
2010/07/27 14:53:53.0109 ctprxy2k (e3aad66077b2594503ab11a31c3d2e7d) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/07/27 14:53:53.0843 CTSBLFX.DLL (14cad906dbec361b572ab2eb1ccf390a) C:\WINDOWS\System32\CTSBLFX.DLL
2010/07/27 14:53:54.0734 ctsfm2k (72c73af1a60321d7e3aaa61859a32f0b) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/07/27 14:53:56.0734 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/07/27 14:53:57.0640 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/07/27 14:53:58.0562 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/07/27 14:53:59.0281 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/07/27 14:54:00.0000 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/07/27 14:54:01.0328 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/07/27 14:54:02.0031 emupia (bb1d92ac27b6129d3bef215c5a1b9a84) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/07/27 14:54:02.0718 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/07/27 14:54:03.0421 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/07/27 14:54:04.0093 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/07/27 14:54:04.0750 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/07/27 14:54:05.0468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/07/27 14:54:06.0156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/07/27 14:54:06.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/07/27 14:54:07.0562 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2010/07/27 14:54:08.0250 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/07/27 14:54:09.0234 ha20x2k (b70a5f66a5505da65e54a4c2bab4c78f) C:\WINDOWS\system32\drivers\ha20x2k.sys
2010/07/27 14:54:09.0953 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/07/27 14:54:10.0671 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/07/27 14:54:12.0031 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/07/27 14:54:14.0000 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/07/27 14:54:14.0671 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/07/27 14:54:16.0578 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/07/27 14:54:17.0312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/07/27 14:54:17.0968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/07/27 14:54:18.0781 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/07/27 14:54:19.0484 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/07/27 14:54:20.0203 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/07/27 14:54:20.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/07/27 14:54:21.0562 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/07/27 14:54:22.0250 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/07/27 14:54:22.0921 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/07/27 14:54:23.0625 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/07/27 14:54:24.0343 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/07/27 14:54:26.0328 lirsgt (975b6cf65f44e95883f3855bae8cecaf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
2010/07/27 14:54:27.0046 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2010/07/27 14:54:27.0718 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/07/27 14:54:28.0390 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/07/27 14:54:29.0062 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/07/27 14:54:29.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/07/27 14:54:30.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/07/27 14:54:31.0187 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/07/27 14:54:32.0531 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/07/27 14:54:33.0343 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/07/27 14:54:34.0109 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/07/27 14:54:34.0781 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/07/27 14:54:35.0468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/07/27 14:54:36.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/07/27 14:54:36.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/07/27 14:54:37.0531 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/07/27 14:54:38.0234 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/07/27 14:54:39.0015 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/07/27 14:54:39.0734 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/07/27 14:54:40.0406 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/07/27 14:54:41.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/07/27 14:54:41.0781 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/07/27 14:54:42.0484 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/07/27 14:54:43.0203 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/07/27 14:54:43.0921 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/07/27 14:54:44.0625 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/07/27 14:54:45.0453 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/07/27 14:54:46.0359 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/07/27 14:54:50.0171 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/07/27 14:54:53.0625 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/07/27 14:54:54.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/07/27 14:54:55.0031 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/07/27 14:54:55.0750 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/07/27 14:54:56.0468 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/07/27 14:54:57.0171 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/07/27 14:54:57.0921 ossrv (594f2968c741ca03e41e57e65f616351) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/07/27 14:54:58.0609 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/07/27 14:54:59.0328 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/07/27 14:55:00.0015 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/07/27 14:55:00.0703 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/07/27 14:55:02.0031 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/07/27 14:55:02.0750 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/07/27 14:55:07.0671 PnkBstrK (4ef662b9317d1ca5d028e5a85ff855d2) C:\WINDOWS\system32\drivers\PnkBstrK.sys
2010/07/27 14:55:08.0406 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/07/27 14:55:09.0171 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/07/27 14:55:09.0890 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/07/27 14:55:13.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/07/27 14:55:14.0656 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/07/27 14:55:15.0390 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/07/27 14:55:16.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/07/27 14:55:16.0812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/07/27 14:55:17.0609 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/27 14:55:19.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/07/27 14:55:19.0875 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/07/27 14:55:20.0625 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2010/07/27 14:55:20.0750 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
2010/07/27 14:55:21.0515 rk_remover-boot (1bdb2a8bce998ef9592d7f1ff6e76996) C:\WINDOWS\system32\drivers\rk_remover.sys
2010/07/27 14:55:22.0296 RTLWUSB (05552e37b5c0b53b7e4b95a850447e85) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
2010/07/27 14:55:23.0046 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/07/27 14:55:24.0921 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/07/27 14:55:25.0703 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/07/27 14:55:26.0406 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/07/27 14:55:27.0750 SjyPkt (3d7ef286e806f9bd9339aa52e28dcd67) C:\WINDOWS\System32\Drivers\SjyPkt.sys
2010/07/27 14:55:29.0062 speedfan (d703f972d23867dfd4ee9a9ef9cb767e) C:\WINDOWS\system32\speedfan.sys
2010/07/27 14:55:29.0812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/07/27 14:55:30.0531 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/07/27 14:55:31.0328 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/07/27 14:55:32.0093 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/07/27 14:55:32.0781 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/07/27 14:55:36.0156 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/07/27 14:55:36.0953 Tcpip (cbeebeb899e31ef52b962cb31fc8ca5c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/07/27 14:55:37.0734 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/07/27 14:55:38.0453 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/07/27 14:55:39.0250 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/07/27 14:55:40.0640 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/07/27 14:55:41.0421 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
2010/07/27 14:55:42.0203 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/07/27 14:55:43.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/07/27 14:55:43.0687 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/07/27 14:55:44.0406 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/07/27 14:55:45.0093 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/07/27 14:55:45.0953 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/07/27 14:55:46.0687 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/07/27 14:55:47.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/07/27 14:55:48.0078 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/07/27 14:55:49.0640 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/07/27 14:55:50.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/07/27 14:55:51.0750 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/07/27 14:55:52.0453 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/07/27 14:55:53.0140 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/07/27 14:55:53.0859 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/07/27 14:55:54.0640 yukonwxp (936a0e2d44adf93ce0df8e92aab29c6e) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2010/07/27 14:55:54.0734 ================================================================================
2010/07/27 14:55:54.0734 Scan finished
2010/07/27 14:55:54.0734 ================================================================================
2010/07/27 14:56:02.0609 Deinitialize success
  • 0

#6
SweetTech
Posted 29 July 2010 - 02:26 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts

Hitman 3.5 shows a "Possible variant of the TDL3 (alias Alureon) rootkit detected" message but can't remove it.

Does it provide you with the full file path of where it is detecting this?
  • 0

#7
xor0
Posted 29 July 2010 - 02:33 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Unfortunately not. It just has that message and underneath a line saying:

The device stack of the hard disk is referencing a hidden driver. This could affect the detection of malicious files.

There are also two messages to the effect:

Proxy server on this computer (User)
127.0.0.1:5643

which hitman can get rid of, but they come back every time it reboots.

Edited by xor0, 29 July 2010 - 02:34 PM.

  • 0

#8
SweetTech
Posted 29 July 2010 - 02:36 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#9
xor0
Posted 29 July 2010 - 03:30 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
OK combofix installed the recovery console ok and started scanning, but after just a few minutes the hard disk stopped operating and nothing further happened. It is just sitting there now with the cursor blinking and no other activity at all, has been more than half an hour. Should I reboot it?

(posting from another machine)
  • 0

#10
SweetTech
Posted 29 July 2010 - 03:36 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Do you see a blue DOS window? Did you ensure that you disabled your security programs before running ComboFix?
  • 0

Advertisements

#11
xor0
Posted 29 July 2010 - 03:44 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Yes MSE disabled. Blue DOS window with 3 lines about scanning, 10 min or double time. Blinking cursor below that.
  • 0

#12
SweetTech
Posted 29 July 2010 - 03:50 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Combofix should never take more that 1 hour to complete.

If Combofix has been running for more than this time and the system appears to have hung then

open task-manager - press ctrl alt and del at the same time then select Task Manager

end any processes of:

pev.exe
nircmd.exe
swreg.exe
cfxxe.exe
  • 0

#13
xor0
Posted 29 July 2010 - 04:03 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
None of those processes are running. The only processes I don't recognize are:

mbr.cfxxe
CF17363.cfxxe

Killed the second one with task manager, first one doesn't die though, Combofix DOS window still there.
  • 0

#14
SweetTech
Posted 29 July 2010 - 04:07 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Does it appear that the ComboFix scan has made any progress or is it still stuck? If it's still stuck please try and exit out of the window by clicking the x button.
  • 0

#15
xor0
Posted 29 July 2010 - 04:30 PM

xor0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hasn't made any progress. Clicking the corner x makes the window freeze for a bit, then goes back to blinking cursor. Reboot?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP