My Drive is locked by "Safe-data.ru"
Started by
BarkiAl
, Jan 10 2011 07:10 PM
#31
Posted 13 January 2011 - 05:05 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
#33
Posted 13 January 2011 - 06:17 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
I've been having a read up on my clean laptop and found this. http://www.securelis..._MBR_Ransomware
if you scroll down to the next to bottom post by Juan, would it be worth trying as i have Hiren's Boot CD? Just a thought
if you scroll down to the next to bottom post by Juan, would it be worth trying as i have Hiren's Boot CD? Just a thought
#34
Posted 13 January 2011 - 06:38 PM
emeraldnzl
-
- GeekU Moderator
-
- 20,051 posts
GeekU Instructor
Hmm... that is essentially what we did.
My thinking is that mbrfix or maybe even the partition fix didn't work, that is why I was seeking another opinion.
I am reluctant to proceed without knowing what is not working.
Could be quite simple but experimenting is not a good idea with this one.
My thinking is that mbrfix or maybe even the partition fix didn't work, that is why I was seeking another opinion.
I am reluctant to proceed without knowing what is not working.
Could be quite simple but experimenting is not a good idea with this one.
#35
Posted 13 January 2011 - 06:45 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
ok would it do anything to run testdisk on the other harddisk, as we have only done it on the C drive which has never been blocked? What would happen if we did that, it can't boot from it coz there are no operating systems on it but if we rewrote the MBR could we then access it, if its the MBR thats infected. Just a wild grabbing of straws here you understand.... I'll await your response, i'm going to pop out for 30mins, and i'll only do what you suggest.
#36
Posted 13 January 2011 - 06:53 PM
emeraldnzl
-
- GeekU Moderator
-
- 20,051 posts
GeekU Instructor
I don't really know whether that would work. At the same time I can't think that it would make things worse... up to you but might be worth a try.
#37
Posted 13 January 2011 - 07:45 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
Yippeeeee... I'm over the moon!!!!! I ran test disk and this selected my Share disk. I ran a anazlise on it the a write on it and rebooted it.. The great news is i can see it and access the files on it... I'm over the moon with joy.. Now though what is the best way to find out what infected the PC in the first place, and which online scanner would you recommend. I'm in the process of backing up my stuff to cd.
Thankyou sooooo much for helping me get this disk up & running again, it means so much not only to me but to the rest of my family. Thank you once again, you are a star
Thankyou sooooo much for helping me get this disk up & running again, it means so much not only to me but to the rest of my family. Thank you once again, you are a star
#38
Posted 13 January 2011 - 07:51 PM
emeraldnzl
-
- GeekU Moderator
-
- 20,051 posts
GeekU Instructor
The great news is i can see it and access the files on it...
Well done you.
Now
First thing is to check what other malware might be there. Usually comes bundled.
- Close all windows and open OTL again.
- Click Run Scan and let the program run uninterrupted
- It will produce a log for you. Post the log here.
Please re-run ComboFix and post the log back here.
So when you return please post
OTL log
ComboFix.txt
#39
Posted 13 January 2011 - 08:40 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
Okay, sorry for the delay, i was backing up our Pictures & Video, having done so successfully i restarted the PC and ran OLT and then Combofix. The logs are below. First is the TEstdisk log for the previously locked disk before i re-wrote the MBR, second is OTL and finally ComboFix
Fri Jan 14 01:36:41 2011
Command line: TestDisk
TestDisk 6.12-WIP, Data Recovery Utility, April 2010
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4 - Jul 27 2010 17:00:22
ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
/dev/sda: LBA, DCO support
/dev/sda: size 156301488 sectors
/dev/sda: user_max 156301488 sectors
/dev/sda: dco 156301488 sectors
/dev/sdb: LBA, HPA, DCO support
/dev/sdb: size 156250000 sectors
/dev/sdb: user_max 156250000 sectors
/dev/sdb: native_max 156250000 sectors
/dev/sdb: dco 156250000 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 80 GB / 74 GiB - CHS 9729 255 63, sector size=512 - ATA ST380011A
Disk /dev/sdb - 80 GB / 74 GiB - CHS 9726 255 63, sector size=512 - ATA WDC WD800BB-75FJ
Disk /dev/sdc - 2000 MB / 1907 MiB - CHS 1016 62 62, sector size=512 - SanDisk Cruzer Blade
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32768 1 1 (RO), sector size=2048 - HL-DT-ST DVDRAM GSA-4163B
Partition table type (auto): Intel
Disk /dev/sdb - 80 GB / 74 GiB - ATA WDC WD800BB-75FJ
Partition table type: Intel
Analyse Disk /dev/sdb - 80 GB / 74 GiB - CHS 9726 255 63
Current partition structure:
No partition is bootable
Ask the user for vista mode
Allow partial last cylinder : No
search_vista_part: 0
search_part()
Disk /dev/sdb - 80 GB / 74 GiB - CHS 9726 255 63
NTFS at 0/1/1
filesystem size 156232062
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 9764503
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 9724 254 63 156232062 [SHARE]
NTFS, 79 GB / 74 GiB
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2
Results
* HPFS - NTFS 0 1 1 9724 254 63 156232062 [SHARE]
NTFS, 79 GB / 74 GiB
interface_write()
1 * HPFS - NTFS 0 1 1 9724 254 63 156232062 [SHARE]
write!
write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
You will have to reboot for the change to take effect.
TestDisk exited normally.
***********************************OTL ****************
OTL logfile created on: 14/01/2011 02:11:49 - Run 2
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Tom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 16.86 Gb Free Space | 22.62% Space Free | Partition Type: NTFS
Drive G: | 74.50 Gb Total Space | 45.92 Gb Free Space | 61.64% Space Free | Partition Type: NTFS
Computer Name: TOM | User Name: Tom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Tom\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Tom\Desktop\OTL.exe (OldTimer Tools)
========== Win32 Services (SafeList) ==========
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
========== Driver Services (SafeList) ==========
DRV - (catchme) -- C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys File not found
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntelC52) -- C:\WINDOWS\system32\drivers\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\system32\drivers\IntelC51.sys (Intel Corporation)
DRV - (IntelC53) -- C:\WINDOWS\system32\drivers\IntelC53.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\system32\drivers\mohfilt.sys (Intel Corporation)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (aslm75) -- C:\WINDOWS\system32\drivers\ASLM75.SYS ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-343818398-1801674531-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-343818398-1801674531-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/04/05 21:41:56 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2011/01/13 17:51:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1238949709456 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/05 16:27:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/01/13 18:29:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/01/13 18:04:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/01/13 17:31:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/13 17:26:26 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/13 17:26:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/13 17:26:26 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/13 17:26:26 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/13 17:19:46 | 005,997,256 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\Tom\Desktop\AppRemover.exe
[2011/01/13 17:08:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/13 17:05:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/11 01:40:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[2011/01/09 12:01:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/01/14 02:10:00 | 000,000,968 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003UA.job
[2011/01/14 02:06:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/14 02:00:00 | 000,000,992 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1004UA.job
[2011/01/14 01:38:38 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/14 01:38:37 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/14 01:38:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/13 20:10:00 | 000,000,916 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003Core.job
[2011/01/13 19:54:47 | 018,627,797 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\My Pictures.rar
[2011/01/13 19:54:25 | 021,186,046 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\School Work.rar
[2011/01/13 19:07:38 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\MBRCheck.exe
[2011/01/13 18:54:06 | 001,452,824 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\MBRBackup.exe
[2011/01/13 17:51:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/13 17:32:34 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/13 17:31:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/01/13 17:23:22 | 004,154,145 | R--- | M] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
[2011/01/13 17:20:00 | 005,997,256 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Tom\Desktop\AppRemover.exe
[2011/01/13 17:09:17 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/01/11 01:40:53 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Google Chrome.lnk
[2011/01/11 01:40:53 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/01/11 01:14:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/01/13 19:54:18 | 018,627,797 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\My Pictures.rar
[2011/01/13 19:54:02 | 021,186,046 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\School Work.rar
[2011/01/13 19:18:59 | 001,452,824 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\MBRBackup.exe
[2011/01/13 19:09:21 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\MBRCheck.exe
[2011/01/13 17:31:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/01/13 17:31:16 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/13 17:26:26 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/13 17:26:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/13 17:26:26 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/13 17:26:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/13 17:26:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/13 17:04:39 | 004,154,145 | R--- | C] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
[2010/10/14 06:47:56 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\847u1k.dat
[2010/02/17 15:15:53 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\jsanikaraoke.txt
[2010/02/17 15:06:34 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2010/02/17 15:05:53 | 000,000,683 | ---- | C] () -- C:\WINDOWS\disney.ini
[2009/05/03 15:33:44 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/05 18:29:39 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/04/05 18:17:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/05 17:57:36 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2009/03/03 11:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2005/02/24 06:32:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/02/24 06:32:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/02/24 06:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/02/24 06:32:00 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/02/24 06:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/02/24 06:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
< End of report >
*************************ComboFix****************************
ComboFix 11-01-13.01 - Tom 14/01/2011 2:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1535.1185 [GMT 0:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mum & Dad\Application Data\Gudu
c:\documents and settings\Mum & Dad\Application Data\Gudu\tuas.zib
c:\documents and settings\Mum & Dad\Application Data\Ixxel
c:\documents and settings\Mum & Dad\Application Data\Ixxel\etki.lyy
c:\documents and settings\Mum & Dad\Application Data\Teipqy
c:\documents and settings\Mum & Dad\Application Data\Teipqy\uvig.ozr
.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( SnapShot@2011-01-13_17.51.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-14 01:38 . 2011-01-14 01:38 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-18 07:47 136176 ----atw- c:\documents and settings\Mum & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-05 00:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 15:18 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 16:28 133104]
.
Contents of the 'Scheduled Tasks' folder
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 16:28]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 16:28]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-21 11:44]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-21 11:44]
2010-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1004Core.job
- c:\documents and settings\Mum & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 07:47]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1004UA.job
- c:\documents and settings\Mum & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 02:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\System32\l3codeca.acm
c:\windows\system32\sirenacm.dll
.
Completion time: 2011-01-14 02:31:14
ComboFix-quarantined-files.txt 2011-01-14 02:30
ComboFix2.txt 2011-01-13 17:53
Pre-Run: 18,075,713,536 bytes free
Post-Run: 18,256,867,328 bytes free
- - End Of File - - 53B7004DF0553D9673C4FDB7B22C93D8
Fri Jan 14 01:36:41 2011
Command line: TestDisk
TestDisk 6.12-WIP, Data Recovery Utility, April 2010
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4 - Jul 27 2010 17:00:22
ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
/dev/sda: LBA, DCO support
/dev/sda: size 156301488 sectors
/dev/sda: user_max 156301488 sectors
/dev/sda: dco 156301488 sectors
/dev/sdb: LBA, HPA, DCO support
/dev/sdb: size 156250000 sectors
/dev/sdb: user_max 156250000 sectors
/dev/sdb: native_max 156250000 sectors
/dev/sdb: dco 156250000 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 80 GB / 74 GiB - CHS 9729 255 63, sector size=512 - ATA ST380011A
Disk /dev/sdb - 80 GB / 74 GiB - CHS 9726 255 63, sector size=512 - ATA WDC WD800BB-75FJ
Disk /dev/sdc - 2000 MB / 1907 MiB - CHS 1016 62 62, sector size=512 - SanDisk Cruzer Blade
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32768 1 1 (RO), sector size=2048 - HL-DT-ST DVDRAM GSA-4163B
Partition table type (auto): Intel
Disk /dev/sdb - 80 GB / 74 GiB - ATA WDC WD800BB-75FJ
Partition table type: Intel
Analyse Disk /dev/sdb - 80 GB / 74 GiB - CHS 9726 255 63
Current partition structure:
No partition is bootable
Ask the user for vista mode
Allow partial last cylinder : No
search_vista_part: 0
search_part()
Disk /dev/sdb - 80 GB / 74 GiB - CHS 9726 255 63
NTFS at 0/1/1
filesystem size 156232062
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 9764503
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 9724 254 63 156232062 [SHARE]
NTFS, 79 GB / 74 GiB
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2
Results
* HPFS - NTFS 0 1 1 9724 254 63 156232062 [SHARE]
NTFS, 79 GB / 74 GiB
interface_write()
1 * HPFS - NTFS 0 1 1 9724 254 63 156232062 [SHARE]
write!
write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
You will have to reboot for the change to take effect.
TestDisk exited normally.
***********************************OTL ****************
OTL logfile created on: 14/01/2011 02:11:49 - Run 2
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Tom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 16.86 Gb Free Space | 22.62% Space Free | Partition Type: NTFS
Drive G: | 74.50 Gb Total Space | 45.92 Gb Free Space | 61.64% Space Free | Partition Type: NTFS
Computer Name: TOM | User Name: Tom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Tom\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Tom\Desktop\OTL.exe (OldTimer Tools)
========== Win32 Services (SafeList) ==========
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
========== Driver Services (SafeList) ==========
DRV - (catchme) -- C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys File not found
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntelC52) -- C:\WINDOWS\system32\drivers\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\system32\drivers\IntelC51.sys (Intel Corporation)
DRV - (IntelC53) -- C:\WINDOWS\system32\drivers\IntelC53.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\system32\drivers\mohfilt.sys (Intel Corporation)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (aslm75) -- C:\WINDOWS\system32\drivers\ASLM75.SYS ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-343818398-1801674531-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-343818398-1801674531-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/04/05 21:41:56 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2011/01/13 17:51:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-343818398-1801674531-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1238949709456 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/05 16:27:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/01/13 18:29:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/01/13 18:04:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/01/13 17:31:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/13 17:26:26 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/13 17:26:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/13 17:26:26 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/13 17:26:26 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/13 17:19:46 | 005,997,256 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\Tom\Desktop\AppRemover.exe
[2011/01/13 17:08:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/13 17:05:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/11 01:40:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[2011/01/09 12:01:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/01/14 02:10:00 | 000,000,968 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003UA.job
[2011/01/14 02:06:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/14 02:00:00 | 000,000,992 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1004UA.job
[2011/01/14 01:38:38 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/14 01:38:37 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/14 01:38:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/13 20:10:00 | 000,000,916 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003Core.job
[2011/01/13 19:54:47 | 018,627,797 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\My Pictures.rar
[2011/01/13 19:54:25 | 021,186,046 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\School Work.rar
[2011/01/13 19:07:38 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\MBRCheck.exe
[2011/01/13 18:54:06 | 001,452,824 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\MBRBackup.exe
[2011/01/13 17:51:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/13 17:32:34 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/13 17:31:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/01/13 17:23:22 | 004,154,145 | R--- | M] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
[2011/01/13 17:20:00 | 005,997,256 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Tom\Desktop\AppRemover.exe
[2011/01/13 17:09:17 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/01/11 01:40:53 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Google Chrome.lnk
[2011/01/11 01:40:53 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/01/11 01:14:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/01/13 19:54:18 | 018,627,797 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\My Pictures.rar
[2011/01/13 19:54:02 | 021,186,046 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\School Work.rar
[2011/01/13 19:18:59 | 001,452,824 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\MBRBackup.exe
[2011/01/13 19:09:21 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\MBRCheck.exe
[2011/01/13 17:31:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/01/13 17:31:16 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/13 17:26:26 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/13 17:26:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/13 17:26:26 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/13 17:26:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/13 17:26:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/13 17:04:39 | 004,154,145 | R--- | C] () -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe
[2010/10/14 06:47:56 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\847u1k.dat
[2010/02/17 15:15:53 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\jsanikaraoke.txt
[2010/02/17 15:06:34 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2010/02/17 15:05:53 | 000,000,683 | ---- | C] () -- C:\WINDOWS\disney.ini
[2009/05/03 15:33:44 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/05 18:29:39 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/04/05 18:17:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/05 17:57:36 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2009/03/03 11:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2005/02/24 06:32:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/02/24 06:32:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/02/24 06:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/02/24 06:32:00 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/02/24 06:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/02/24 06:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
< End of report >
*************************ComboFix****************************
ComboFix 11-01-13.01 - Tom 14/01/2011 2:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1535.1185 [GMT 0:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mum & Dad\Application Data\Gudu
c:\documents and settings\Mum & Dad\Application Data\Gudu\tuas.zib
c:\documents and settings\Mum & Dad\Application Data\Ixxel
c:\documents and settings\Mum & Dad\Application Data\Ixxel\etki.lyy
c:\documents and settings\Mum & Dad\Application Data\Teipqy
c:\documents and settings\Mum & Dad\Application Data\Teipqy\uvig.ozr
.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( SnapShot@2011-01-13_17.51.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-14 01:38 . 2011-01-14 01:38 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-18 07:47 136176 ----atw- c:\documents and settings\Mum & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-05 00:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 15:18 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 16:28 133104]
.
Contents of the 'Scheduled Tasks' folder
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 16:28]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 16:28]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-21 11:44]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1003UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-21 11:44]
2010-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1004Core.job
- c:\documents and settings\Mum & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 07:47]
2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1801674531-839522115-1004UA.job
- c:\documents and settings\Mum & Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 02:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\System32\l3codeca.acm
c:\windows\system32\sirenacm.dll
.
Completion time: 2011-01-14 02:31:14
ComboFix-quarantined-files.txt 2011-01-14 02:30
ComboFix2.txt 2011-01-13 17:53
Pre-Run: 18,075,713,536 bytes free
Post-Run: 18,256,867,328 bytes free
- - End Of File - - 53B7004DF0553D9673C4FDB7B22C93D8
#40
Posted 13 January 2011 - 08:54 PM
emeraldnzl
-
- GeekU Moderator
-
- 20,051 posts
GeekU Instructor
Hello again BarkiAl,
Just in case there is any infection in the USB sticks we have been using (or any other removable drives you have) do this:
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Finally in this post
Please run a free online scan with the ESET Online Scanner
Note: ESET was designed to run with Internet Explorer, compatibility with other browsers has been added recently but if you find difficulty, go to using Internet Explorer
Just in case there is any infection in the USB sticks we have been using (or any other removable drives you have) do this:
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Finally in this post
Please run a free online scan with the ESET Online Scanner
Note: ESET was designed to run with Internet Explorer, compatibility with other browsers has been added recently but if you find difficulty, go to using Internet Explorer
- Click the green ESET Online Scanner box
- Tick the box next to YES, I accept the Terms of Use
- You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
- Click Start and if your security program asks you if you want to allow the program, click yes.
- If you anti-virus is active you may see a panel appear warning you that this may affect performance. Disabling the programs listed may speed things along.
- Make sure that the options Remove found threats and Scan archives are checked (do not worry about advanced settings)
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\b]log.txt[/b] (open Notepad > File > Open and navigate to the log.txt)
- Copy and paste that log as a reply to this topic
- MBAM log
- ESET scan results
- and tell me how your machine is now
#41
Posted 13 January 2011 - 09:12 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
Hi, i downloaded Flash_Disinfector.exe and when i ran it on my laptop AVG said it was Malware, and if when i clicked the allow button, nothing happened. Any ideas? The PC is currently running Mbam, and seems to be runnig as it should, very much thanks to you. I'm sure my son will be delighted when he gets up in a few hours time to find that his PC is running again.
What did OTL & ComboFix find?
What did OTL & ComboFix find?
#42
Posted 13 January 2011 - 09:31 PM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
Hello for the last time tonight, I ran antimalware and nothing was found, log added further down. I'm currently running Eset online scanner, from past usage, it took 2 hrs on my laptop which only has half the disk space, so i'm going to leave it running and go to bed now, unless there is anything else you would like me to do. The PC does seem to be running just like it should be, and when i get up i will re-install an anti virus software along with SuperAntispyware. Is there any other software that you would recommend? Also which anti-virus would you sugest? Once again I'd like to say a BIG Thankyou for all of your help this evening with this problem. Thanks for tonight & i'll send you the results to ESET later today
Mbam Log Below
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5516
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
14/01/2011 03:17:02
mbam-log-2011-01-14 (03-17-02).txt
Scan type: Quick scan
Objects scanned: 157673
Time elapsed: 12 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Mbam Log Below
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5516
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
14/01/2011 03:17:02
mbam-log-2011-01-14 (03-17-02).txt
Scan type: Quick scan
Objects scanned: 157673
Time elapsed: 12 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#43
Posted 13 January 2011 - 09:37 PM
emeraldnzl
-
- GeekU Moderator
-
- 20,051 posts
GeekU Instructor
Hi BarkiAl,
Catch you tomorrow. Been and interesting trip so to speak. Great working with you.
I am sure the ESET one will be good and then we can go to clearing away the tools we have been using.
Yes sometimes anti-virus programs interprete the tools we use as malware. AVG has been a particular problem of late. I prefer the Avira one you had, I have that on my XP machine.
The main infection on the computer was Ransomware - safe-data. ru
There was other trojan downloader type infection with various names depending on which anti-virus company name you would choose e.g. Trojan.Generic.KDV.100293, Trojan.Win32.VB.anqz or Win32 downloader trojan.
Much of this sort of stuff comes from file sharing, often music or some such.
Regards
emeraldnzl
Catch you tomorrow. Been and interesting trip so to speak. Great working with you.
I am sure the ESET one will be good and then we can go to clearing away the tools we have been using.
i downloaded Flash_Disinfector.exe and when i ran it on my laptop AVG said it was Malware
Yes sometimes anti-virus programs interprete the tools we use as malware. AVG has been a particular problem of late. I prefer the Avira one you had, I have that on my XP machine.
What did OTL & ComboFix find?
The main infection on the computer was Ransomware - safe-data. ru
There was other trojan downloader type infection with various names depending on which anti-virus company name you would choose e.g. Trojan.Generic.KDV.100293, Trojan.Win32.VB.anqz or Win32 downloader trojan.
Much of this sort of stuff comes from file sharing, often music or some such.
Regards
emeraldnzl
#44
Posted 14 January 2011 - 09:39 AM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
Good Afternoon, Once again Thank you for all of your help last night. The Eset Scanner completed and found some more viruses, I've enclosed the log. I've downloaded Avira AV, SuperantiSpyware, and currently running a "F-Secure" online scan Full Scan, to double check that the PC is now virus free. After that i will install the above and give it another "Belt & Braces scan" to triple check. I will also update Java as 3 out of 4 viruses that Eset found came from Java.
Then please could you send me instructions to remove the tools we used last night to clean up the PC.
Many thanks again, and it was a pleasure working with you
Best Regards
Alastair
Eset Log
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\59\72a437bb-31ffe584 multiple threats deleted - quarantined
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\62\588b6b3e-1635f19d a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\62\588b6b3e-23868dc7 a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan cleaned by deleting - quarantined
Then please could you send me instructions to remove the tools we used last night to clean up the PC.
Many thanks again, and it was a pleasure working with you
Best Regards
Alastair
Eset Log
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\59\72a437bb-31ffe584 multiple threats deleted - quarantined
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\62\588b6b3e-1635f19d a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\62\588b6b3e-23868dc7 a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan cleaned by deleting - quarantined
Edited by BarkiAl, 14 January 2011 - 09:41 AM.
#45
Posted 14 January 2011 - 11:43 AM
BarkiAl
- Topic Starter
-
- Member
-
- 30 posts
Member
Just installed Avira AV and it's found another Boot Sector virus on the Share Disk. I'm currently running a full scan on everything, and i've posted the log below, so you can see what's going on. Any help or advice would be appreicated.
Avira AntiVir Personal
Report file date: 14 January 2011 17:31
Scanning for 2369745 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Tom
Computer name : TOM
Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 13/12/2010 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 14/01/2011 17:22:24
AVSCAN.DLL : 10.0.3.0 46440 Bytes 14/01/2011 17:22:38
LUKE.DLL : 10.0.3.2 104296 Bytes 14/01/2011 17:22:26
LUKERES.DLL : 10.0.0.1 12648 Bytes 14/01/2011 17:22:38
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 17:22:32
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 17:30:29
VBASE002.VDF : 7.11.0.1 2048 Bytes 14/12/2010 17:30:29
VBASE003.VDF : 7.11.0.2 2048 Bytes 14/12/2010 17:30:29
VBASE004.VDF : 7.11.0.3 2048 Bytes 14/12/2010 17:30:29
VBASE005.VDF : 7.11.0.4 2048 Bytes 14/12/2010 17:30:29
VBASE006.VDF : 7.11.0.5 2048 Bytes 14/12/2010 17:30:30
VBASE007.VDF : 7.11.0.6 2048 Bytes 14/12/2010 17:30:30
VBASE008.VDF : 7.11.0.7 2048 Bytes 14/12/2010 17:30:30
VBASE009.VDF : 7.11.0.8 2048 Bytes 14/12/2010 17:30:30
VBASE010.VDF : 7.11.0.9 2048 Bytes 14/12/2010 17:30:30
VBASE011.VDF : 7.11.0.10 2048 Bytes 14/12/2010 17:30:30
VBASE012.VDF : 7.11.0.11 2048 Bytes 14/12/2010 17:30:30
VBASE013.VDF : 7.11.0.52 128000 Bytes 16/12/2010 17:30:31
VBASE014.VDF : 7.11.0.91 226816 Bytes 20/12/2010 17:30:31
VBASE015.VDF : 7.11.0.122 136192 Bytes 21/12/2010 17:30:32
VBASE016.VDF : 7.11.0.156 122880 Bytes 24/12/2010 17:30:32
VBASE017.VDF : 7.11.0.185 146944 Bytes 27/12/2010 17:30:32
VBASE018.VDF : 7.11.0.228 132608 Bytes 30/12/2010 17:30:33
VBASE019.VDF : 7.11.1.5 148480 Bytes 03/01/2011 17:30:33
VBASE020.VDF : 7.11.1.37 156672 Bytes 07/01/2011 17:30:33
VBASE021.VDF : 7.11.1.65 140800 Bytes 10/01/2011 17:30:34
VBASE022.VDF : 7.11.1.87 225280 Bytes 11/01/2011 17:30:34
VBASE023.VDF : 7.11.1.124 125440 Bytes 14/01/2011 17:30:35
VBASE024.VDF : 7.11.1.125 2048 Bytes 14/01/2011 17:30:35
VBASE025.VDF : 7.11.1.126 2048 Bytes 14/01/2011 17:30:35
VBASE026.VDF : 7.11.1.127 2048 Bytes 14/01/2011 17:30:35
VBASE027.VDF : 7.11.1.128 2048 Bytes 14/01/2011 17:30:35
VBASE028.VDF : 7.11.1.129 2048 Bytes 14/01/2011 17:30:35
VBASE029.VDF : 7.11.1.130 2048 Bytes 14/01/2011 17:30:35
VBASE030.VDF : 7.11.1.131 2048 Bytes 14/01/2011 17:30:35
VBASE031.VDF : 7.11.1.144 41472 Bytes 14/01/2011 17:30:35
Engineversion : 8.2.4.140
AEVDF.DLL : 8.1.2.1 106868 Bytes 14/01/2011 17:22:23
AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 14/01/2011 17:30:41
AESCN.DLL : 8.1.7.2 127349 Bytes 14/01/2011 17:22:23
AESBX.DLL : 8.1.3.2 254324 Bytes 14/01/2011 17:22:23
AERDL.DLL : 8.1.9.2 635252 Bytes 14/01/2011 17:22:23
AEPACK.DLL : 8.2.4.7 512375 Bytes 14/01/2011 17:30:40
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 14/01/2011 17:22:23
AEHEUR.DLL : 8.1.2.64 3154294 Bytes 14/01/2011 17:30:39
AEHELP.DLL : 8.1.16.0 246136 Bytes 14/01/2011 17:22:23
AEGEN.DLL : 8.1.5.1 397683 Bytes 14/01/2011 17:30:36
AEEMU.DLL : 8.1.3.0 393589 Bytes 14/01/2011 17:22:23
AECORE.DLL : 8.1.19.0 196984 Bytes 14/01/2011 17:22:23
AEBB.DLL : 8.1.1.0 53618 Bytes 14/01/2011 17:22:23
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2011 17:22:24
AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2011 17:22:24
AVREP.DLL : 10.0.0.8 62209 Bytes 14/01/2011 17:22:24
AVREG.DLL : 10.0.3.2 53096 Bytes 14/01/2011 17:22:24
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 14/01/2011 17:22:24
AVARKT.DLL : 10.0.22.6 231784 Bytes 14/01/2011 17:22:24
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 14/01/2011 17:22:24
SQLITE3.DLL : 3.6.19.0 355688 Bytes 14/01/2011 17:22:27
AVSMTP.DLL : 10.0.0.17 63848 Bytes 14/01/2011 17:22:24
NETNT.DLL : 10.0.0.0 11624 Bytes 14/01/2011 17:22:26
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 14/01/2011 17:22:38
RCTEXT.DLL : 10.0.58.0 97128 Bytes 14/01/2011 17:22:38
Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
Start of the scan: 14 January 2011 17:31
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[DETECTION] Contains code of the BOO/Seftad.A boot sector virus
[NOTE] The boot sector was not written!
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '1662' files ).
End of the scan: 14 January 2011 17:32
Used time: 00:53 Minute(s)
The scan has been done completely.
0 Scanned directories
1693 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1693 Files not concerned
2 Archives were scanned
0 Warnings
1 Notes
Avira AntiVir Personal
Report file date: 14 January 2011 17:31
Scanning for 2369745 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Tom
Computer name : TOM
Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 13/12/2010 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 14/01/2011 17:22:24
AVSCAN.DLL : 10.0.3.0 46440 Bytes 14/01/2011 17:22:38
LUKE.DLL : 10.0.3.2 104296 Bytes 14/01/2011 17:22:26
LUKERES.DLL : 10.0.0.1 12648 Bytes 14/01/2011 17:22:38
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 17:22:32
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 17:30:29
VBASE002.VDF : 7.11.0.1 2048 Bytes 14/12/2010 17:30:29
VBASE003.VDF : 7.11.0.2 2048 Bytes 14/12/2010 17:30:29
VBASE004.VDF : 7.11.0.3 2048 Bytes 14/12/2010 17:30:29
VBASE005.VDF : 7.11.0.4 2048 Bytes 14/12/2010 17:30:29
VBASE006.VDF : 7.11.0.5 2048 Bytes 14/12/2010 17:30:30
VBASE007.VDF : 7.11.0.6 2048 Bytes 14/12/2010 17:30:30
VBASE008.VDF : 7.11.0.7 2048 Bytes 14/12/2010 17:30:30
VBASE009.VDF : 7.11.0.8 2048 Bytes 14/12/2010 17:30:30
VBASE010.VDF : 7.11.0.9 2048 Bytes 14/12/2010 17:30:30
VBASE011.VDF : 7.11.0.10 2048 Bytes 14/12/2010 17:30:30
VBASE012.VDF : 7.11.0.11 2048 Bytes 14/12/2010 17:30:30
VBASE013.VDF : 7.11.0.52 128000 Bytes 16/12/2010 17:30:31
VBASE014.VDF : 7.11.0.91 226816 Bytes 20/12/2010 17:30:31
VBASE015.VDF : 7.11.0.122 136192 Bytes 21/12/2010 17:30:32
VBASE016.VDF : 7.11.0.156 122880 Bytes 24/12/2010 17:30:32
VBASE017.VDF : 7.11.0.185 146944 Bytes 27/12/2010 17:30:32
VBASE018.VDF : 7.11.0.228 132608 Bytes 30/12/2010 17:30:33
VBASE019.VDF : 7.11.1.5 148480 Bytes 03/01/2011 17:30:33
VBASE020.VDF : 7.11.1.37 156672 Bytes 07/01/2011 17:30:33
VBASE021.VDF : 7.11.1.65 140800 Bytes 10/01/2011 17:30:34
VBASE022.VDF : 7.11.1.87 225280 Bytes 11/01/2011 17:30:34
VBASE023.VDF : 7.11.1.124 125440 Bytes 14/01/2011 17:30:35
VBASE024.VDF : 7.11.1.125 2048 Bytes 14/01/2011 17:30:35
VBASE025.VDF : 7.11.1.126 2048 Bytes 14/01/2011 17:30:35
VBASE026.VDF : 7.11.1.127 2048 Bytes 14/01/2011 17:30:35
VBASE027.VDF : 7.11.1.128 2048 Bytes 14/01/2011 17:30:35
VBASE028.VDF : 7.11.1.129 2048 Bytes 14/01/2011 17:30:35
VBASE029.VDF : 7.11.1.130 2048 Bytes 14/01/2011 17:30:35
VBASE030.VDF : 7.11.1.131 2048 Bytes 14/01/2011 17:30:35
VBASE031.VDF : 7.11.1.144 41472 Bytes 14/01/2011 17:30:35
Engineversion : 8.2.4.140
AEVDF.DLL : 8.1.2.1 106868 Bytes 14/01/2011 17:22:23
AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 14/01/2011 17:30:41
AESCN.DLL : 8.1.7.2 127349 Bytes 14/01/2011 17:22:23
AESBX.DLL : 8.1.3.2 254324 Bytes 14/01/2011 17:22:23
AERDL.DLL : 8.1.9.2 635252 Bytes 14/01/2011 17:22:23
AEPACK.DLL : 8.2.4.7 512375 Bytes 14/01/2011 17:30:40
AEOFFICE.DLL : 8.1.1.10 201084 Bytes 14/01/2011 17:22:23
AEHEUR.DLL : 8.1.2.64 3154294 Bytes 14/01/2011 17:30:39
AEHELP.DLL : 8.1.16.0 246136 Bytes 14/01/2011 17:22:23
AEGEN.DLL : 8.1.5.1 397683 Bytes 14/01/2011 17:30:36
AEEMU.DLL : 8.1.3.0 393589 Bytes 14/01/2011 17:22:23
AECORE.DLL : 8.1.19.0 196984 Bytes 14/01/2011 17:22:23
AEBB.DLL : 8.1.1.0 53618 Bytes 14/01/2011 17:22:23
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2011 17:22:24
AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2011 17:22:24
AVREP.DLL : 10.0.0.8 62209 Bytes 14/01/2011 17:22:24
AVREG.DLL : 10.0.3.2 53096 Bytes 14/01/2011 17:22:24
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 14/01/2011 17:22:24
AVARKT.DLL : 10.0.22.6 231784 Bytes 14/01/2011 17:22:24
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 14/01/2011 17:22:24
SQLITE3.DLL : 3.6.19.0 355688 Bytes 14/01/2011 17:22:27
AVSMTP.DLL : 10.0.0.17 63848 Bytes 14/01/2011 17:22:24
NETNT.DLL : 10.0.0.0 11624 Bytes 14/01/2011 17:22:26
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 14/01/2011 17:22:38
RCTEXT.DLL : 10.0.58.0 97128 Bytes 14/01/2011 17:22:38
Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
Start of the scan: 14 January 2011 17:31
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[DETECTION] Contains code of the BOO/Seftad.A boot sector virus
[NOTE] The boot sector was not written!
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '1662' files ).
End of the scan: 14 January 2011 17:32
Used time: 00:53 Minute(s)
The scan has been done completely.
0 Scanned directories
1693 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1693 Files not concerned
2 Archives were scanned
0 Warnings
1 Notes
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
