Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MALware or worse?


  • This topic is locked This topic is locked

#16
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
OTL logfile created on: 6/5/2011 1:43:59 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

494.73 Mb Total Physical Memory | 61.17 Mb Available Physical Memory | 12.36% Memory free
2.40 Gb Paging File | 1.90 Gb Available in Paging File | 79.27% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 101.27 Gb Free Space | 67.96% Space Free | Partition Type: NTFS

Computer Name: HOME2 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\User\desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
PRC - C:\Program Files\Ahead\InCD\InCDsrv.exe (Nero AG)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\User\desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LeapFrog Connect Device Service) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)
SRV - (InCDsrv) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Nero AG)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (MpKsl6872dcbf) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl6872dcbf.sys (Microsoft Corporation)
DRV - (MpKsl8d8d8aec) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl8d8d8aec.sys (Microsoft Corporation)
DRV - (MpKsl47cc204a) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl47cc204a.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (incdrm) -- C:\WINDOWS\System32\drivers\InCDrm.sys (Nero AG)
DRV - (InCDfs) -- C:\WINDOWS\System32\drivers\InCDfs.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDpass.sys (Nero AG)
DRV - (sf) -- C:\WINDOWS\system32\drivers\sf.sys (Sonic Focus, Inc)
DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)
DRV - (ovt519) -- C:\WINDOWS\system32\drivers\ov519vid.sys (OmniVision Technologies, Inc.)
DRV - (MidiSyn) -- C:\WINDOWS\system32\drivers\MidiSyn.sys (Analog Devices Inc)
DRV - (FA312) -- C:\WINDOWS\system32\drivers\FA312nd5.sys (NETGEAR Corp.)
DRV - (es1371) Creative AudioPCI (ES1371,ES1373) (WDM) -- C:\WINDOWS\system32\drivers\es1371mp.sys (Creative Technology Ltd.)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:3.11.3.15590
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/09 22:00:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/09 22:00:05 | 000,000,000 | ---D | M]

[2009/03/24 01:03:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2008/12/23 22:14:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\[email protected]
[2011/06/04 14:18:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions
[2010/04/28 08:09:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/03 22:18:25 | 000,000,000 | ---D | M] (New Tabs at the End) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\extensions\[email protected]
[2011/06/04 15:00:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/15 08:36:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/15 21:39:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/06/04 15:00:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
File not found (No name found) --
[2011/06/04 15:00:14 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/09 21:59:54 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/04/30 19:57:14 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2011/04/30 19:57:14 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2011/06/04 15:00:12 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2011/05/09 21:59:58 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Nero AG)
O4 - HKCU..\Run: [PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe (Cyberlink, Corp.)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1279164465406 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...ctDetection.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Web-Based Email Tools http://email.secures...et/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/27 16:48:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/08 08:57:20 | 000,000,000 | ---D | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/05 13:39:36 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2011/06/04 15:04:24 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\TFC.exe
[2011/06/04 15:00:30 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/04 15:00:30 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/06/04 15:00:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/04 15:00:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/04 14:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/06/04 14:18:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/06/04 10:41:11 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/04 00:25:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/03 20:33:29 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/06/03 17:30:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\User\Start Menu\Programs\Administrative Tools
[2011/06/02 18:14:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/06/01 06:36:44 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/28 19:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/28 13:49:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/28 13:49:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/27 22:23:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/05/27 00:10:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/27 00:10:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/05/12 00:27:49 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2011/05/07 17:54:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\New Folder

========== Files - Modified Within 30 Days ==========
  • 0

Advertisements


#17
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
[2011/06/05 13:47:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/05 13:39:42 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2011/06/05 13:33:28 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/05 13:32:13 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/05 13:31:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/05 13:26:17 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/05 12:30:18 | 001,553,968 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/04 15:04:25 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\TFC.exe
[2011/06/04 15:00:12 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/06/04 15:00:12 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/06/04 15:00:12 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/06/04 15:00:12 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/04 15:00:12 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/06/03 20:33:40 | 000,000,435 | RHS- | M] () -- C:\boot.ini
[2011/06/03 01:50:35 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\User\Application Data\mcs.rma
[2011/06/03 01:50:35 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\User\Application Data\51AE63
[2011/06/03 01:48:53 | 000,008,864 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2011/06/01 06:36:44 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/24 19:14:10 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/05/07 19:24:36 | 000,000,022 | ---- | M] () -- C:\WINDOWS\kodakpcd.User.ini
[2011/05/07 18:26:41 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/06/03 20:33:39 | 000,000,319 | ---- | C] () -- C:\Boot.bak
[2011/06/03 20:33:31 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/05/27 00:10:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/09 22:00:08 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/07 19:24:36 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.User.ini
[2010/04/30 23:28:59 | 000,008,864 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/04/23 00:35:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\User\Application Data\51AE63
[2010/04/23 00:35:34 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\User\Application Data\mcs.rma
[2010/03/01 21:23:15 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/06 00:13:34 | 000,200,704 | R--- | C] () -- C:\WINDOWS\sel3110.exe
[2010/01/06 00:13:34 | 000,040,960 | R--- | C] () -- C:\WINDOWS\CleanDev.exe
[2010/01/06 00:13:33 | 000,032,528 | R--- | C] () -- C:\WINDOWS\amcap.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/03/24 01:03:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/02/10 12:12:31 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2009/02/10 12:12:31 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/02/10 12:12:31 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2009/02/10 12:12:31 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/02/10 12:12:31 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2009/02/10 12:12:31 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2009/02/10 12:12:31 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2009/02/10 12:12:31 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2009/02/10 12:12:31 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2009/02/10 12:12:31 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2009/02/10 12:12:31 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2009/02/10 12:12:31 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2009/02/10 12:12:31 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2009/02/10 12:12:31 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2009/02/10 12:12:31 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2009/02/10 12:12:31 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/02/10 12:11:16 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF500.ini
[2008/12/16 00:07:38 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/17 21:40:19 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/14 14:50:38 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/09/11 22:27:18 | 000,012,415 | ---- | C] () -- C:\WINDOWS\hpdj5100.ini
[2008/09/11 21:52:18 | 000,269,056 | ---- | C] () -- C:\WINDOWS\Invasion3042 Uninstaller.exe
[2008/09/10 21:28:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2008/09/10 21:21:40 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2008/07/27 19:12:28 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/07/27 16:50:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/27 16:45:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/27 13:38:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/27 13:37:31 | 001,553,968 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/28 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 07:00:00 | 000,435,260 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 07:00:00 | 000,068,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009/09/16 08:36:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2009/02/10 12:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/12/26 12:52:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2008/12/23 22:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2010/11/13 20:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\usb-set
[2011/04/30 19:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Catalina Marketing Corp
[2009/02/10 12:19:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\EPSON
[2010/08/05 23:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GlarySoft
[2008/09/10 21:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\InterTrust
[2009/02/10 12:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Leadertech
[2008/10/18 22:47:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LucasArts
[2010/09/06 09:25:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\MSNInstaller
[2008/10/24 21:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Petroglyph
[2010/06/07 09:56:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SanDisk
[2008/09/10 20:19:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SPORE
[2008/12/23 22:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TomTom

========== Purity Check ==========



========== Custom Scans ==========
  • 0

#18
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
< %SYSTEMDRIVE%\*.* >
[2008/07/27 16:48:04 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/28 09:00:32 | 000,000,319 | ---- | M] () -- C:\Boot.bak
[2011/06/03 20:33:40 | 000,000,435 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2008/07/27 16:48:04 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/06/03 12:47:18 | 000,269,257 | ---- | M] () -- C:\hpfr5100.log
[2008/07/27 16:48:04 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/07/27 16:48:04 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/01/14 08:55:52 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/06/05 13:31:49 | 2147,483,648 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/07/27 16:47:41 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 18:58:12 | 000,030,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2006/10/26 18:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2003/09/03 06:46:54 | 000,010,960 | ---- | M] () -- C:\Program Files\EULA.txt
[2003/12/18 10:33:46 | 000,020,102 | ---- | M] () -- C:\Program Files\Readme.txt
[2004/10/01 15:00:16 | 000,040,960 | ---- | M] () -- C:\Program Files\Uninstall_CDS.exe

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/07/27 13:36:45 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/07/27 13:36:45 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/07/27 13:36:45 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/01/14 09:03:39 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2008/07/27 16:55:08 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2008/07/27 16:55:08 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
  • 0

#19
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
< %USERPROFILE%\Desktop\*.exe >
[2011/06/05 13:39:42 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\desktop\OTL.exe
[2011/06/04 15:04:25 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >
  • 0

#20
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >
  • 0

#21
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Sorry about that but it would not let me post the whole log at one time, seems I can not post the last 5 lines of the log. Doing the same thing with the extras log now.

Edited by Texx01, 05 June 2011 - 12:30 PM.

  • 0

#22
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
If you are having trouble posting the results you can try attaching them instead. That would be fine in this case.
  • 0

#23
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
OK here you go

Attached Files


  • 0

#24
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
I'm not seeing anything in the OTL logs. Were you able to run the GMER scan? If it won't post you can attach it.
  • 0

#25
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Sorry about that hectic day yesterday, I tried to run the Gmer but put it would rest the computer befor it finished loading.
  • 0

Advertisements


#26
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Let's try to run GMER again, please be sure you have your anti-virus disabled during the scan.

Ideally, we'd like to run GMER in normal mode, but if it won't run in normal mode please do the following:

Boot your computer in Safe Mode
  • Turn the computer on or Restart the computer
  • As soon as BIOS is loaded, start tapping the F8 key.
  • The Windows Advanced Options Menu appears.
    If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Use the arrow keys to select the Safe Mode menu option.
  • Press Enter.
  • The computer then begins to start in Safe mode.
  • Log into your usual account

Then try running GMER with just "sections" and the "c:\" drive checked, leave everything else blank. After running it, reboot into normal mode.

If you still can't get it to run, please let me know.
  • 0

#27
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
OK I got it to run in safe mode here are the results


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-07 23:47:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3160828AS rev.8.03
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kxtdipow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[684] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E4000C
.text C:\WINDOWS\system32\svchost.exe[684] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 009E000A
.text C:\WINDOWS\Explorer.EXE[972] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[972] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[972] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D2000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8630231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8630231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-5 8630231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8630231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8630231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-1b 8630231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-13 8630231B

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
  • 0

#28
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#29
Texx01

Texx01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
C:\Documents and Settings\User\Desktop\Tools\Data Sheets
ComboFix 11-06-07.03 - User 06/08/2011 17:01:09.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.124 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))
.
.
2011-06-08 21:58 . 2011-06-08 21:58 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl126aca19.sys
2011-06-08 12:23 . 2011-06-08 12:23 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl567bb853.sys
2011-06-08 04:53 . 2011-06-08 04:53 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl876e4b74.sys
2011-06-08 02:17 . 2011-06-08 02:17 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKslbef7d13d.sys
2011-06-08 02:11 . 2011-06-08 02:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-06-08 02:07 . 2011-06-08 02:08 -------- d-----w- c:\documents and settings\Administrator
2011-06-05 06:04 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\mpengine.dll
2011-06-04 20:00 . 2011-06-04 20:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-04 19:59 . 2011-06-04 19:59 -------- d-----w- c:\program files\Java
2011-06-04 15:41 . 2011-06-04 15:41 -------- d-----w- c:\program files\ESET
2011-06-02 23:14 . 2011-06-02 23:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-01 11:36 . 2011-06-01 11:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 00:18 . 2011-05-29 00:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-12 05:27 . 2011-05-12 05:27 -------- d-sh--w- c:\windows\ftpcache
2011-05-10 02:59 . 2011-05-10 02:59 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-10 02:59 . 2011-05-10 02:59 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-10 02:59 . 2011-05-10 02:59 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-10 02:59 . 2011-05-10 02:59 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-10 02:59 . 2011-05-10 02:59 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-10 02:59 . 2011-05-10 02:59 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-10 02:59 . 2011-05-10 02:59 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-10 02:59 . 2011-05-10 02:59 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 20:00 . 2010-05-15 13:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 14:11 . 2010-10-16 03:02 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2010-10-16 03:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 00:14 . 2010-10-16 07:16 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-09 20:46 . 2010-10-17 16:42 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2004-10-01 20:00 . 2008-09-11 02:21 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-05-10 02:59 . 2011-05-10 02:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-16 1397760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-12 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"SoundMAXPnP"=c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
"Adobe_ID0EYTHM"=c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" blrun
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R1 MpKsl126aca19;MpKsl126aca19;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl126aca19.sys [6/8/2011 4:58 PM 28752]
R1 MpKsl567bb853;MpKsl567bb853;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl567bb853.sys [6/8/2011 7:23 AM 28752]
R1 MpKsl876e4b74;MpKsl876e4b74;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKsl876e4b74.sys [6/7/2011 11:53 PM 28752]
R1 MpKslbef7d13d;MpKslbef7d13d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4055CB2B-D9BF-4D1C-9B56-095A980CFC39}\MpKslbef7d13d.sys [6/7/2011 9:17 PM 28752]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 5:38 AM 92008]
S1 MpKsl01375d09;MpKsl01375d09;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52CC2763-6795-4F4B-ACA1-91072C608453}\MpKsl01375d09.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{52CC2763-6795-4F4B-ACA1-91072C608453}\MpKsl01375d09.sys [?]
S1 MpKsl22a35883;MpKsl22a35883;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC0A26A0-9877-49B5-8F95-7003387B4F45}\MpKsl22a35883.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CC0A26A0-9877-49B5-8F95-7003387B4F45}\MpKsl22a35883.sys [?]
S1 MpKsl2f59733b;MpKsl2f59733b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B27CD3-1A11-4692-8285-0188132F9DE9}\MpKsl2f59733b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83B27CD3-1A11-4692-8285-0188132F9DE9}\MpKsl2f59733b.sys [?]
S1 MpKsl3b450fae;MpKsl3b450fae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{973261E3-7CC4-493B-82D8-ECD852254FD3}\MpKsl3b450fae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{973261E3-7CC4-493B-82D8-ECD852254FD3}\MpKsl3b450fae.sys [?]
S1 MpKsl40166da2;MpKsl40166da2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{270EB84C-17E5-4FF4-845B-A18635983272}\MpKsl40166da2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{270EB84C-17E5-4FF4-845B-A18635983272}\MpKsl40166da2.sys [?]
S1 MpKsl4f3e2792;MpKsl4f3e2792;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl4f3e2792.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl4f3e2792.sys [?]
S1 MpKsl64572d2b;MpKsl64572d2b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{668F37A9-DA64-4B48-822F-F84FDEE633DD}\MpKsl64572d2b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{668F37A9-DA64-4B48-822F-F84FDEE633DD}\MpKsl64572d2b.sys [?]
S1 MpKsl89c599d9;MpKsl89c599d9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\MpKsl89c599d9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56140C6B-7B29-432B-AE04-A3B4A909CF30}\MpKsl89c599d9.sys [?]
S1 MpKsl99b4965b;MpKsl99b4965b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl99b4965b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94F6AAD1-9406-4646-87AE-692777AF0118}\MpKsl99b4965b.sys [?]
S1 MpKsl9fb2e619;MpKsl9fb2e619;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl9fb2e619.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1613B88A-A9AA-4A8D-B56D-DFF7F41BEDC4}\MpKsl9fb2e619.sys [?]
S1 MpKslcc76cc7a;MpKslcc76cc7a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96B71B2F-7271-431C-961C-3C03AA597726}\MpKslcc76cc7a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{96B71B2F-7271-431C-961C-3C03AA597726}\MpKslcc76cc7a.sys [?]
S1 MpKsldf6aea94;MpKsldf6aea94;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F876F22-6232-433E-84DB-59359B06E3A5}\MpKsldf6aea94.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F876F22-6232-433E-84DB-59359B06E3A5}\MpKsldf6aea94.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:49 PM 135664]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2010 6:49 PM 135664]
S3 krdpdre;krdpdre;\??\c:\docume~1\User\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\User\LOCALS~1\Temp\krdpdre.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL126ACA19
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 23:49]
.
2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\la83ce80.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-08 17:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160828AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8635131B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-492894223-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:ff,6b,5b,d9,d3,d5,e1,70,1c,8b,66,e3,7b,72,d6,b0,e1,56,f7,c1,90,
6f,af,d1,cb,d8,06,63,af,2c,e0,1e,77,18,83,92,04,ec,17,f2,00,fd,79,b7,eb,e1,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-08 17:27:02
ComboFix-quarantined-files.txt 2011-06-08 22:26
.
Pre-Run: 108,764,766,208 bytes free
Post-Run: 108,887,908,352 bytes free
.
- - End Of File - - 808E15BF35CDDE78A97D58B9A8E67717

Edited by Texx01, 08 June 2011 - 05:15 PM.

  • 0

#30
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP