Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#1
rootkits-r-evil

rootkits-r-evil

    Member

  • Member
  • PipPipPip
  • 168 posts
Sigh.

Dang. I'm sure this is some sort of rootkit. (TDL4?) It's not the first time I've had one of these buggers, and I've grown pretty good at spotting it when one of these is trying to force it's way in. And I've gotten good at getting rid of these sort of critters. Honest. But this time it deployed while my back was turned, and it had plenty of time to do it's dirty work. By the time I noticed anything was wrong, (a blue screen of death was the first clue), it was too late.

Google redirects, OS behaving oddly, programs won't start (Malwarebytes shut itself off, etc.) , all the signs of a rootkit.


I spent some time trying to get rid of it myself, and I did manage to bring the machine back to life, using Malwarebytes and Kapersky virus removerthingy. It showed several examples of the same rootkit, "patched.mf" somethingorother, and did get them out.

BUT,.... I realize that in the process I've got it at the point now where I do need the help of someone like you- so here I am. (I think in removing the bad stuff it yanked out some good stuff.)

----------> So in a word, .... "Help." (Or rather, "Please help.")


I can see that the virus is still lurking in my machine, and I need to get it out. Then no doubt I need to fix some damage that it caused. I know it would prolly be better to re-install the OS, but I've been to that rodeo before and I know it's no fun to re-install everything and for months afterward realize there are things I'm missing. Rather try to bring it back to life with your help. I have confidence that someone who knows what they are doing can help me to get this box back to running well.



For starters, these are some immediate problems that I need to fix:


1.) Can't run a lot of programs. I get the dreaded, "can't access that program", "perhaps you don't have permission" popup.

2.) There are still lots of nasty looking files and registry horrors hiding deep inside my system.

3.) Can't get online. (See #1 above.) Can't even get at the Windows firewall in Control Panel. ("don't have permission, blah-blah".) I am using another machine to post here, and a flash drive to go from one machine to the other as needed.



I am running Windows XP, SP2

Here is my log. (Yikes. There are some scary looking things in there. Did I mention, "Please help"? :-)



OTL logfile created on: 8/20/2011 5:01:05 PM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\steve\Desktop\geekstogo
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.11 Mb Total Physical Memory | 704.54 Mb Available Physical Memory | 68.93% Memory free
2.40 Gb Paging File | 2.21 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.18 Gb Total Space | 7.58 Gb Free Space | 6.94% Space Free | Partition Type: NTFS

Computer Name: D6YKGDD1 | User Name: steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/20 16:44:24 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\geekstogo\OTL.com
PRC - [2009/03/03 13:50:33 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/06/06 16:28:18 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2007/05/14 15:23:32 | 001,191,936 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/11/02 15:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
PRC - [2005/09/23 23:05:26 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2005/07/22 23:25:06 | 000,172,032 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
PRC - [2005/07/22 23:25:04 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2007/06/06 16:35:02 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2007/06/06 16:34:54 | 001,474,560 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2007/05/14 15:24:00 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2007/05/09 15:59:44 | 000,086,016 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2005/10/13 14:53:36 | 000,090,223 | ---- | M] () -- C:\Program Files\Dell\QuickSet\preflibcl.dll
MOD - [2005/06/28 13:59:48 | 000,053,248 | ---- | M] () -- C:\Program Files\ArcSoft\PhotoImpression 5\Share\PIHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wltrysvc)
SRV - File not found [Auto | Stopped] -- -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- -- ({84618CD0-BA25-43A1-B97EB2A93FB2C99E})
SRV - [2007/08/09 08:37:20 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)


========== Driver Services (SafeList) ==========

DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\steve\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\steve\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2007/06/06 16:28:16 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/05/09 15:59:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/05/08 22:49:02 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/05/08 22:46:12 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/05/08 22:46:08 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/05/08 22:46:06 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/04/23 22:15:46 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/04/23 22:15:46 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/04/23 22:15:44 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/18 20:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\packet.sys -- (Packet)
DRV - [2006/11/02 13:31:38 | 000,103,168 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec02.sys -- (DXEC02)
DRV - [2005/11/17 04:33:52 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/02/16 17:51:26 | 000,016,128 | ---- | M] (Digital Networks North America, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RIOUNIV.SYS -- (RIOUNIV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.stevefisk.../work_start.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51677

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Oracle)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.50524.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C3D7C3E1-0A58-4A19-BEFF-2A8C2E7E65DE}: C:\Documents and Settings\steve\Local Settings\Application Data\{C3D7C3E1-0A58-4A19-BEFF-2A8C2E7E65DE}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/02 18:53:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/02 18:53:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/03 11:57:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/05/29 17:24:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\steve\Application Data\Mozilla\Extensions
[2011/08/17 03:15:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\extensions
[2011/08/02 18:54:12 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/08/02 18:47:43 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2011/08/02 18:51:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/19 18:29:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/07/08 03:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/07/19 18:29:14 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/01/19 14:38:58 | 000,000,211 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk = C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ()
O4 - Startup: C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk = C:\Program Files\Spybot - Search & Destroy\SDMain.exe (Safer Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\eooggtfb: DllName - fdplcjm.dll - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{72263b6e-4572-11dc-9350-001c2387e9ba}\Shell\AutoRun\command - "" = E:\PCConnect.exe
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell - "" = AutoRun
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/20 16:57:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\geekstogo
[2011/08/19 20:20:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\steve\Start Menu\Programs\Administrative Tools
[2011/08/19 20:20:42 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\steve\Desktop\dds.scr
[2011/08/19 19:53:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\bleeping
[2011/08/18 13:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/08/18 07:59:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/08/18 07:12:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/08/18 03:18:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\dell-project
[2011/08/18 03:07:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\New Folder
[2011/08/18 02:02:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\New Folder (3)
[2011/08/17 22:19:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Start Menu\Programs\RegCure
[2011/08/17 22:19:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegCure
[2011/08/17 13:34:48 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/08/17 12:59:11 | 000,000,000 | ---D | C] -- C:\MGtools
[2011/08/17 12:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
[2011/08/17 12:56:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/08/17 12:56:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/08/17 12:56:37 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/08/17 12:42:12 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\steve\Desktop\RootRepeal.exe
[2011/08/17 12:26:44 | 012,483,776 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\steve\Desktop\SUPERAntiSpyware.exe
[2011/08/17 12:02:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\showthread.php_files
[2011/08/17 11:28:15 | 000,000,000 | ---D | C] -- C:\Avenger
[2011/08/17 03:52:29 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/08/17 03:51:56 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\steve\Desktop\esetsmartinstaller_enu.exe
[2011/08/17 03:41:07 | 000,309,320 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2011/08/17 03:39:32 | 007,045,869 | ---- | C] (BitDefender LLC) -- C:\Documents and Settings\steve\Desktop\BDRemovalTool_TDSS_TDL4__x86.exe
[2011/08/17 03:19:01 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/08/17 02:54:01 | 000,000,000 | ---D | C] -- C:\Program Files\RegCure
[2011/08/17 02:48:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\steve\Recent
[2011/08/17 01:58:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\tdsskiller
[2011/08/16 19:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/16 17:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401
[2011/08/16 16:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\{2A114C1F-D940-41CF-8EE7-977EEAF395AA}
[2011/08/10 00:49:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\Copy of New Folder (2)
[2011/08/10 00:42:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\New Folder (2)
[2011/08/09 19:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/08/09 19:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/08/09 19:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/08/09 19:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Temp
[2011/08/09 19:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/08/09 19:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/08/09 19:06:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Google
[2011/08/03 17:02:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\dwhelper
[2011/08/02 18:21:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\8-2
[2011/07/26 17:13:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\7-26
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/20 17:00:00 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2011/08/20 16:56:34 | 000,041,335 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/08/20 16:56:27 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/20 16:55:52 | 1071,837,184 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/20 09:18:12 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/19 20:18:52 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\steve\Desktop\dds.scr
[2011/08/19 19:59:34 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\steve\defogger_reenable
[2011/08/18 15:27:54 | 000,000,657 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Shortcut to firefox.lnk
[2011/08/18 15:27:01 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Shortcut to mbam.lnk
[2011/08/18 15:09:26 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk
[2011/08/18 14:30:10 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/18 13:27:09 | 000,000,653 | ---- | M] () -- C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2011/08/18 13:13:42 | 000,000,862 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/08/18 13:13:42 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Spybot - Search & Destroy.lnk
[2011/08/18 10:00:10 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Shortcut to SDMain.lnk
[2011/08/18 08:40:08 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2011/08/18 08:36:49 | 000,001,409 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\settings.dat
[2011/08/18 08:36:49 | 000,000,111 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dht.dat
[2011/08/18 08:36:49 | 000,000,099 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\rss.dat
[2011/08/18 08:34:25 | 000,000,058 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\resume.dat.old
[2011/08/18 08:03:54 | 000,135,168 | ---- | M] () -- C:\zip.exe
[2011/08/18 08:03:54 | 000,019,286 | ---- | M] () -- C:\cleanup.exe
[2011/08/18 08:03:54 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2011/08/18 07:33:12 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/18 06:27:28 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\settings.dat.old
[2011/08/18 05:58:03 | 000,043,084 | ---- | M] () -- C:\Documents and Settings\steve\My Documents\cc_20110818_055739.reg
[2011/08/18 03:30:34 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\exefix_xp.com
[2011/08/18 02:34:16 | 000,512,992 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2011/08/17 17:09:49 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
[2011/08/17 13:41:52 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_17975.nl_
[2011/08/17 13:34:30 | 004,175,495 | R--- | M] () -- C:\Documents and Settings\steve\Desktop\ComboFix.exe
[2011/08/17 13:23:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2363981562
[2011/08/17 13:20:40 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\avenger.zip
[2011/08/17 13:03:03 | 016,941,112 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\SAS_75270.COM
[2011/08/17 12:59:04 | 002,419,140 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MGtools.exe
[2011/08/17 12:56:40 | 000,001,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/08/17 12:53:33 | 000,068,684 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\GooredFix_d7057.html
[2011/08/17 12:31:35 | 102,578,536 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\setup_11.0.0.1245.x01_2011_08_17_13_14.exe
[2011/08/17 12:31:33 | 012,483,776 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\steve\Desktop\SUPERAntiSpyware.exe
[2011/08/17 12:24:13 | 000,465,298 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\RootRepeal.rar
[2011/08/17 12:15:46 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MBRCheck.exe
[2011/08/17 12:02:18 | 000,091,877 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\showthread.php.htm
[2011/08/17 11:30:41 | 000,309,320 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2011/08/17 03:52:21 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\steve\Desktop\esetsmartinstaller_enu.exe
[2011/08/17 03:49:38 | 000,000,345 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\rkill.pif.htm
[2011/08/17 03:47:28 | 001,404,720 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\TDSSKiller.exe
[2011/08/17 03:40:55 | 007,045,869 | ---- | M] (BitDefender LLC) -- C:\Documents and Settings\steve\Desktop\BDRemovalTool_TDSS_TDL4__x86.exe
[2011/08/17 02:59:14 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2011/08/17 02:54:01 | 000,000,459 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\RegCure.lnk
[2011/08/17 02:54:01 | 000,000,441 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2011/08/17 01:57:05 | 001,388,507 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\tdsskiller.zip
[2011/08/17 00:47:23 | 000,010,120 | ---- | M] () -- C:\Documents and Settings\steve\My Documents\cc_20110817_004708.reg
[2011/08/16 23:43:06 | 000,041,335 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/08/09 19:09:15 | 000,000,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/09 19:08:46 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/09 19:08:46 | 000,001,798 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/07/23 10:56:25 | 000,001,641 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Firefox Profile Manager.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/19 19:59:34 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\steve\defogger_reenable
[2011/08/18 15:27:54 | 000,000,657 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Shortcut to firefox.lnk
[2011/08/18 15:27:01 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Shortcut to mbam.lnk
[2011/08/18 15:09:26 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk
[2011/08/18 14:28:24 | 000,001,917 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/08/18 13:27:09 | 000,000,653 | ---- | C] () -- C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2011/08/18 13:13:42 | 000,000,862 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/08/18 13:13:42 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Spybot - Search & Destroy.lnk
[2011/08/18 10:00:10 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Shortcut to SDMain.lnk
[2011/08/18 09:35:57 | 1071,837,184 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/18 08:40:08 | 000,004,128 | ---- | C] () -- C:\INFCACHE.1
[2011/08/18 08:36:49 | 000,000,111 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dht.dat
[2011/08/18 08:36:49 | 000,000,099 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\rss.dat
[2011/08/18 08:24:24 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\resume.dat.old
[2011/08/18 07:59:34 | 000,512,992 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2011/08/18 05:57:42 | 000,043,084 | ---- | C] () -- C:\Documents and Settings\steve\My Documents\cc_20110818_055739.reg
[2011/08/18 03:42:47 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\exefix_xp.com
[2011/08/17 13:33:47 | 004,175,495 | R--- | C] () -- C:\Documents and Settings\steve\Desktop\ComboFix.exe
[2011/08/17 13:21:55 | 000,135,168 | ---- | C] () -- C:\zip.exe
[2011/08/17 13:21:55 | 000,019,286 | ---- | C] () -- C:\cleanup.exe
[2011/08/17 13:21:55 | 000,000,574 | ---- | C] () -- C:\cleanup.bat
[2011/08/17 13:20:35 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\avenger.zip
[2011/08/17 12:59:54 | 016,941,112 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\SAS_75270.COM
[2011/08/17 12:58:35 | 002,419,140 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\MGtools.exe
[2011/08/17 12:56:40 | 000,001,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/08/17 12:53:32 | 000,068,684 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\GooredFix_d7057.html
[2011/08/17 12:42:19 | 000,001,409 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\settings.dat
[2011/08/17 12:42:19 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\settings.dat.old
[2011/08/17 12:24:11 | 000,465,298 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\RootRepeal.rar
[2011/08/17 12:15:49 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\MBRCheck.exe
[2011/08/17 12:09:18 | 102,578,536 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\setup_11.0.0.1245.x01_2011_08_17_13_14.exe
[2011/08/17 12:02:17 | 000,091,877 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\showthread.php.htm
[2011/08/17 03:49:37 | 000,000,345 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\rkill.pif.htm
[2011/08/17 03:23:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\2363981562
[2011/08/17 02:54:12 | 000,000,438 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2011/08/17 02:54:06 | 000,000,372 | ---- | C] () -- C:\WINDOWS\tasks\RegCure.job
[2011/08/17 02:54:01 | 000,000,459 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\RegCure.lnk
[2011/08/17 02:54:01 | 000,000,441 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2011/08/17 01:57:03 | 001,388,507 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\tdsskiller.zip
[2011/08/17 00:47:11 | 000,010,120 | ---- | C] () -- C:\Documents and Settings\steve\My Documents\cc_20110817_004708.reg
[2011/08/16 19:39:10 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_17975.nl_
[2011/08/09 19:09:15 | 000,000,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/09 19:08:46 | 000,001,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/09 19:08:46 | 000,001,798 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/09 19:07:04 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/09 19:07:03 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/23 10:35:51 | 000,001,641 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Firefox Profile Manager.lnk
[2011/07/15 19:10:34 | 000,001,530 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6
[2011/07/15 19:10:34 | 000,001,530 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6
[2011/07/07 16:48:09 | 000,001,430 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043
[2011/07/07 16:48:09 | 000,001,430 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043
[2011/06/02 20:02:16 | 000,004,678 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7
[2011/06/02 20:02:16 | 000,004,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7
[2011/05/27 19:01:22 | 000,003,616 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 19:01:22 | 000,003,616 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/18 20:18:23 | 000,015,000 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 20:18:23 | 000,015,000 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
[2011/01/14 16:52:21 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/19 16:12:21 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/07/07 13:08:18 | 000,000,059 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2009/07/07 13:07:36 | 000,000,058 | ---- | C] () -- C:\WINDOWS\EPSPRX580.ini
[2009/07/07 12:28:59 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2009/07/07 12:28:59 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/07/07 12:28:59 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2009/07/07 12:28:59 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/07/07 12:28:59 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2009/07/07 12:28:59 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2009/07/07 12:28:59 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2009/07/07 12:28:59 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2009/07/07 12:28:59 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2009/07/07 12:28:59 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2009/07/07 12:28:59 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2009/07/07 12:28:59 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2009/07/07 12:28:59 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2009/07/07 12:28:59 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2009/07/07 12:28:59 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2009/07/07 12:28:59 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/06/02 15:59:00 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2009/06/02 15:46:52 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2009/06/02 15:45:56 | 000,001,393 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2009/06/02 15:45:56 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2009/06/02 15:45:51 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2009/05/19 16:35:29 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/09 07:51:52 | 000,000,147 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/09 07:10:27 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2009/03/28 17:25:34 | 000,010,756 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2007/12/30 00:32:58 | 000,001,158 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/08/08 01:56:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/07/31 01:41:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/07/31 01:31:34 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2007/07/31 01:27:06 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/07/31 01:27:04 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/07/31 01:10:21 | 000,041,335 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2007/07/31 01:04:24 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2007/07/31 01:04:23 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/07/31 01:04:05 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/31 01:04:05 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/07/31 01:04:05 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/31 01:04:04 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/31 01:04:04 | 001,018,804 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/07/31 01:04:04 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/31 01:04:03 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/07/31 01:04:02 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/07/31 01:04:01 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/07/31 01:03:03 | 000,001,118 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/07/22 23:25:07 | 000,005,428 | ---- | C] () -- C:\WINDOWS\hpfmdl_s04_main.dat
[2005/07/22 23:25:07 | 000,000,362 | ---- | C] () -- C:\WINDOWS\hpfins_s04_main.dat
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:57:15 | 000,202,528 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:51:21 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 13:51:20 | 000,405,878 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 13:51:20 | 000,064,262 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 13:51:17 | 006,566,656 | ---- | C] () -- C:\WINDOWS\System32\htscxjgq.dat
[2004/08/10 13:51:17 | 000,633,600 | ---- | C] () -- C:\WINDOWS\System32\kbuxwhib.dat
[2004/08/10 13:51:17 | 000,219,392 | ---- | C] () -- C:\WINDOWS\System32\viliuyzf.dat
[2004/08/10 13:51:17 | 000,050,944 | ---- | C] () -- C:\WINDOWS\System32\biooqdck.dat
[2004/08/10 13:51:17 | 000,047,360 | ---- | C] () -- C:\WINDOWS\System32\ingfjqqb.dat
[2004/08/10 13:51:17 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\hyfizoei.dat
[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 13:50:56 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/10 13:50:55 | 000,388,608 | ---- | C] () -- C:\WINDOWS\System32\cmd.exe
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/07/07 13:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2011/08/16 19:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401
[2007/07/31 01:31:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SingleClick Systems
[2010/06/24 18:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/08/18 07:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/03 17:11:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Canon
[2011/08/09 19:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\FrostWire
[2010/10/13 14:51:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\GetRightToGo
[2009/06/17 13:29:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\iccrmbqo
[2011/04/17 14:24:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\StreamTorrent
[2009/04/21 19:51:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Template
[2011/03/08 18:18:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\ThumbsPlus
[2007/08/09 08:53:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\steve\Application Data\Thunderbird
[2011/08/17 22:17:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\uTorrent
[2007/08/09 08:46:49 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\steve\Application Data\Visicom Media
[2009/05/15 19:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Vso
[2011/08/20 17:00:00 | 000,000,438 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job
[2011/08/17 02:59:14 | 000,000,372 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794

< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
SRV - File not found [Auto | Stopped] -- -- (wltrysvc)
SRV - File not found [Auto | Stopped] -- -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- -- ({84618CD0-BA25-43A1-B97EB2A93FB2C99E})
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51677
[2010/07/19 18:29:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O20 - Winlogon\Notify\eooggtfb: DllName - fdplcjm.dll - File not found
O33 - MountPoints2\{72263b6e-4572-11dc-9350-001c2387e9ba}\Shell\AutoRun\command - "" = E:\PCConnect.exe
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell - "" = AutoRun
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[2011/08/16 17:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401
[2011/08/16 16:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\{2A114C1F-D940-41CF-8EE7-977EEAF395AA}
[2011/08/20 17:00:00 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2011/08/16 19:39:10 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_17975.nl_
[2011/07/15 19:10:34 | 000,001,530 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6
[2011/07/15 19:10:34 | 000,001,530 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6
[2011/07/07 16:48:09 | 000,001,430 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043
[2011/07/07 16:48:09 | 000,001,430 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043
[2011/06/02 20:02:16 | 000,004,678 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7
[2011/06/02 20:02:16 | 000,004,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7
[2011/05/27 19:01:22 | 000,003,616 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 19:01:22 | 000,003,616 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/18 20:18:23 | 000,015,000 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 20:18:23 | 000,015,000 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
[2011/08/17 02:59:14 | 000,000,372 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C


:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
     
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply.

If the Fix button was enabled. Run aswmbr again. This time change the A-V Scan to None then hit SCAN. It will finish much faster. IF the FIX button (not the FixMBR button) is still lit then press it. Save and post the new log.




Submit the following files to http://virustotal.com and let me know if they don't say 0/43.

[2004/08/10 13:51:17 | 006,566,656 | ---- | C] () -- C:\WINDOWS\System32\htscxjgq.dat
[2004/08/10 13:51:17 | 000,633,600 | ---- | C] () -- C:\WINDOWS\System32\kbuxwhib.dat
[2004/08/10 13:51:17 | 000,219,392 | ---- | C] () -- C:\WINDOWS\System32\viliuyzf.dat
[2004/08/10 13:51:17 | 000,050,944 | ---- | C] () -- C:\WINDOWS\System32\biooqdck.dat
[2004/08/10 13:51:17 | 000,047,360 | ---- | C] () -- C:\WINDOWS\System32\ingfjqqb.dat
[2004/08/10 13:51:17 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\hyfizoei.dat

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.


If you still can't get on line:
Start, All Programs, Accessories, Command Prompt. Type with an Enter after each line in the code box:

ipconfig /flushdns

netsh  winsock  reset catalog

netsh  int ip reset reset.log


(I use two spaces in the code box so you will be sure to see where 1 space goes.)

Reboot and test. If it still doesn't work:


1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 8.8.8.8 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.

5. Click "OK"

Reboot and test. If it still doesn't work:

(Start) Right click on My Computer, select Manage then Device Manager. Find the Network Adapters and click on the + in front to open up the sub entries. Right click on each sun-entry under Network Adapters and Uninstall. (Doesn't hurt to write down the names in case you need to download the drivers from the PC Maker's website. Normally you don't but with malware you never know.) Reboot and test.

Ron
  • 0

#3
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Hi Ron,

Thank you so much for your help. You are my idol. :-)


> then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
> Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Done. Here is the log:


:processes
killallprocesses

:OTL
SRV - File not found [Auto | Stopped] -- -- (wltrysvc)
SRV - File not found [Auto | Stopped] -- -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- -- ({84618CD0-BA25-43A1-B97EB2A93FB2C99E})
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51677
[2010/07/19 18:29:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O20 - Winlogon\Notify\eooggtfb: DllName - fdplcjm.dll - File not found
O33 - MountPoints2\{72263b6e-4572-11dc-9350-001c2387e9ba}\Shell\AutoRun\command - "" = E:\PCConnect.exe
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell - "" = AutoRun
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
[2011/08/16 17:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401
[2011/08/16 16:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\{2A114C1F-D940-41CF-8EE7-977EEAF395AA}
[2011/08/20 17:00:00 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2011/08/16 19:39:10 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_17975.nl_
[2011/07/15 19:10:34 | 000,001,530 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6
[2011/07/15 19:10:34 | 000,001,530 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6
[2011/07/07 16:48:09 | 000,001,430 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043
[2011/07/07 16:48:09 | 000,001,430 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043
[2011/06/02 20:02:16 | 000,004,678 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7
[2011/06/02 20:02:16 | 000,004,678 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7
[2011/05/27 19:01:22 | 000,003,616 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 19:01:22 | 000,003,616 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl
[2011/05/18 20:18:23 | 000,015,000 | -HS- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
[2011/05/18 20:18:23 | 000,015,000 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
[2011/08/17 02:59:14 | 000,000,372 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C


:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

:Commands
[RESETHOSTS]
[purity]
[Reboot]


I'm linking the way this is going.


> Malwarebytes' Anti-Malware
> :!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy.

OK. Again, I can't get online, so am downloading from another machine and transferring via flashdrive. (No sense in checking for updates after install at this point.)

I'm doing this part now....
  • 0

#4
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
MBAM log. (So far so good.)

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

8/20/2011 11:17:45 PM
mbam-log-2011-08-20 (23-17-45).txt

Scan type: Quick scan
Objects scanned: 168759
Time elapsed: 20 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------

Now we turn to Combofix, and it gets rather odd here.

I do have a version on my desktop that I downloaded yesterday in anticipation of needing it. However- I cannot delete it. The machine won't let me. "Make sure it's not write protected or in use". I don't think it's in use, as it doesn't show on the task manager. Then when I try to run the program- I get the,

"Windows cannot access the specified device, path, of file". You may not have the appropriate permission to access the item".

Can anything be more pesky than a virus that sets it up so your computer gives you a hard time and tells you that you don't have permission to use it? Yeeesh. I'm trying to have a sense of humor here. You need it with rootkits.


What should I do next?
  • 0

#5
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Ah. I know what to do. I'm running the new version of Combofix, and then will run the other two programs. Details to follow....
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
You posted the OTL script that I gave you and not the log.

If you already have Combofix then just run it. It will be a bit out of date but better than nothing.

Ron
  • 0

#7
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts

You posted the OTL script that I gave you and not the log.


D'oh!

I don't know how I did that. Prolly from using the flash drive so many times to copy stuff back and forth here.




If you already have Combofix then just run it. It will be a bit out of date but better than nothing.


No, the one I have already won't run. But the one I just downloaded will, and I am running it on the infected machine right now. And so far it says I have......


"Zero Access Rootkit".

Once it's done I'll see if the OTL log is still in that machine. I think so.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
This is the first one of these I've seen. Interesting to see if any of my regular tools can kill it. If not, you can try running antizeroaccess.exe:

http://anywhere.webr...izeroaccess.exe

Ron
  • 0

#9
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Funny you should say that. I am very good at finding the new virii. About a year ago, when TDL3 was all the rage, I got a rootkit that looked like it, but not quite. I had bleeping computer help me out, and it turns out I had the first case of TDL4 they had seen.

(My secret is that I got rid of cable, and watch TV online only. I can watch anything without a problem, free, but the downside is that not everything is to be trusted out there. So I test virii for everyone. :-)


The good news is I think I'm a good guinea pig. I can take directions and I can work well with someone like you.

In any event, here are the two latest log files.

-------------

========== PROCESSES ==========
All processes killed
========== OTL ==========
Service wltrysvc stopped successfully!
Service wltrysvc deleted successfully!
Error: No service named tgsrvc_verizondm) SupportSoft Repair Service (verizondm was found to stop!
Service\Driver key tgsrvc_verizondm) SupportSoft Repair Service (verizondm not found.
Error: No service named sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm was found to stop!
Service\Driver key sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
Service {84618CD0-BA25-43A1-B97EB2A93FB2C99E} stopped successfully!
Service {84618CD0-BA25-43A1-B97EB2A93FB2C99E} deleted successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} folder moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eooggtfb\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72263b6e-4572-11dc-9350-001c2387e9ba}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72263b6e-4572-11dc-9350-001c2387e9ba}\ not found.
File E:\PCConnect.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c93fb507-07b6-11de-935e-001c2387e9ba}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c93fb507-07b6-11de-935e-001c2387e9ba}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c93fb507-07b6-11de-935e-001c2387e9ba}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c93fb507-07b6-11de-935e-001c2387e9ba}\ not found.
File E:\LaunchU3.exe -a not found.
Folder C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401\ not found.
C:\Documents and Settings\steve\Local Settings\Application Data\{2A114C1F-D940-41CF-8EE7-977EEAF395AA}\chrome\content folder moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\{2A114C1F-D940-41CF-8EE7-977EEAF395AA}\chrome folder moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\{2A114C1F-D940-41CF-8EE7-977EEAF395AA} folder moved successfully.
C:\WINDOWS\tasks\RegCure Program Check.job moved successfully.
C:\WINDOWS\system32\c_17975.nl_ moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6 moved successfully.
C:\Documents and Settings\All Users\Application Data\34wv7hh1k0014ag643xvy71h0x2bc64rq475obl6 moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043 moved successfully.
C:\Documents and Settings\All Users\Application Data\1hu4i5i6c1wx6ngdh3brb4vh33mo74i8k66043 moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7 moved successfully.
C:\Documents and Settings\All Users\Application Data\647hcv5th6f5utprr43bgqh563kbejcc53b2u7 moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\s7846w86gi86yo4j3444wfp8hl moved successfully.
C:\Documents and Settings\All Users\Application Data\s7846w86gi86yo4j3444wfp8hl moved successfully.
C:\Documents and Settings\steve\Local Settings\Application Data\ueu4ue45lg20w7c4ddf moved successfully.
C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf moved successfully.
C:\WINDOWS\Tasks\RegCure.job moved successfully.
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
No captured output from command...
F:\geekstogo\cmd.bat deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
No captured output from command...
F:\geekstogo\cmd.bat deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
No captured output from command...
F:\geekstogo\cmd.bat deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
No captured output from command...
F:\geekstogo\cmd.bat deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.5 log created on 08202011_223527

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




And,,,,,,

============

ComboFix 11-08-21.01 - steve 08/21/2011 0:13.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.781 [GMT -4:00]
Running from: c:\documents and settings\steve\Desktop\geekstogo\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\cleanup.exe
c:\docume~1\steve\LOCALS~1\Temp\Temporary Directory 2 for tdsskiller.zip\TDSSKiller.exe
c:\documents and settings\steve\Local Settings\Temp\Temporary Directory 2 for tdsskiller.zip\TDSSKiller.exe
c:\documents and settings\steve\WINDOWS
c:\windows\$NtUninstallKB57869$
c:\windows\$NtUninstallKB57869$\3768571335
c:\windows\$NtUninstallKB57869$\4202620812\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB57869$\4202620812\L\odetmngk
c:\windows\$NtUninstallKB57869$\4202620812\loader(2).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(3).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(4).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(5).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(6).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(7).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader(8).tlb
c:\windows\$NtUninstallKB57869$\4202620812\loader.tlb
c:\windows\$NtUninstallKB57869$\4202620812\U\@00000001
c:\windows\$NtUninstallKB57869$\4202620812\U\@000000c0
c:\windows\$NtUninstallKB57869$\4202620812\U\@000000cb
c:\windows\$NtUninstallKB57869$\4202620812\U\@000000cf
c:\windows\$NtUninstallKB57869$\4202620812\U\@80000000
c:\windows\$NtUninstallKB57869$\4202620812\U\@800000c0
c:\windows\$NtUninstallKB57869$\4202620812\U\@800000cb
c:\windows\$NtUninstallKB57869$\4202620812\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\iun6002.exe
C:\zip.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-21 to 2011-08-21 )))))))))))))))))))))))))))))))
.
.
2011-08-21 02:55 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-21 02:55 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 11:59 . 2011-08-18 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-08-17 21:57 . 2011-08-17 21:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-08-17 17:21 . 2011-08-18 12:03 574 ----a-w- C:\cleanup.bat
2011-08-17 16:59 . 2011-08-17 16:59 -------- d-----w- C:\MGtools
2011-08-17 16:56 . 2011-08-17 16:56 -------- d-----w- c:\documents and settings\steve\Application Data\SUPERAntiSpyware.com
2011-08-17 16:56 . 2011-08-17 21:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-17 16:56 . 2011-08-17 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-17 07:52 . 2011-08-17 07:52 -------- d-----w- c:\program files\ESET
2011-08-17 07:41 . 2011-08-17 15:30 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-08-17 07:19 . 2011-08-17 07:19 -------- d-----w- C:\TDSSKiller_Quarantine
2011-08-17 06:54 . 2011-08-18 06:10 -------- d-----w- c:\program files\RegCure
2011-08-16 21:02 . 2011-08-16 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\pL15401GdHlG15401
2011-08-09 23:12 . 2011-08-09 23:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-08-09 23:07 . 2011-08-09 23:13 -------- d-----w- c:\documents and settings\steve\Local Settings\Application Data\Temp
2011-08-09 23:07 . 2011-08-09 23:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-08-09 23:06 . 2011-08-15 04:44 -------- d-----w- c:\documents and settings\steve\Local Settings\Application Data\Google
2011-08-09 23:06 . 2011-08-09 23:08 -------- d-----w- c:\program files\Google
2011-08-03 21:02 . 2011-08-15 07:30 -------- d-----w- c:\documents and settings\steve\dwhelper
2011-08-02 22:53 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-02 22:53 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-02 22:53 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-02 22:53 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-02 22:53 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-02 22:53 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-02 22:53 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-02 22:53 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-23 13:39 . 2011-07-08 07:16 265176 ----a-w- c:\program files\Mozilla Firefox\updater.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-25 23:10 . 2004-08-10 17:51 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-07-16 02:04 . 2004-08-10 18:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2011-07-08 07:16 . 2011-08-02 22:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\atapi.sys
.
[7] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys
.
[7] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
.
[7] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys
.
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
.
[7] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ntfs.sys
.
[7] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
.
[-] 2011-07-25 . C81D6A930A7805F6DAA0C7902B99037E . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
[7] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\browser.dll
.
[7] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe
.
[7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\system32\netman.dll
.
[7] 2004-08-04 10:00 . 6728270CB7DBB776ED086F5AC4C82310 . 792064 . . [2001.12.4414.258] . . c:\windows\system32\comres.dll
.
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll
.
[7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\system32\rpcss.dll
.
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\services.exe
.
[7] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[7] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
.
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
[7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\system32\wuauclt.exe
.
[7] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2006-08-25 . C4E80875C1CF1222FC5EFD0314AE5C01 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
.
[7] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll
.
[7] 2004-08-04 10:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\system32\es.dll
.
[7] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll
.
[7] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[7] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\system32\kernel32.dll
[7] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\system32\dllcache\kernel32.dll
.
[7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\system32\linkinfo.dll
.
[7] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll
.
[7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\mshtml.dll
[7] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2007-02-20 . 6B9D083C0D4C4555FE011B01A98872DA . 3056640 . . [6.00.2900.3086] . . c:\windows\ie8\mshtml.dll
[7] 2007-02-20 . 2991727809C7AC3A33E4178CC73244D8 . 3063296 . . [6.00.2900.3086] . . c:\windows\$hf_mig$\KB931768\SP2QFE\mshtml.dll
[7] 2006-02-01 . 51C91AC189321A320FC4BC90B56255A3 . 3073024 . . [6.00.2900.2838] . . c:\windows\$hf_mig$\KB912945\SP2QFE\mshtml.dll
.
[7] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll
[7] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
.
[7] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\mswsock.dll
.
[7] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll
.
[7] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll
.
[7] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll
.
[7] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll
.
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe
.
[7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\system32\tapisrv.dll
.
[7] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll
[7] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\dllcache\user32.dll
.
[7] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
.
[7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\system32\wininet.dll
[7] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\wininet.dll
[7] 2007-02-20 . B258C922D22DEEC880B60720531D7627 . 665600 . . [6.00.2900.3086] . . c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
[7] 2007-02-20 . 30D1C47E40EFBB792FF8D3C3B51CE507 . 658944 . . [6.00.2900.3086] . . c:\windows\ie8\wininet.dll
[7] 2006-01-09 . DDE9597A3311748C1519444E2BC147BD . 662016 . . [6.00.2900.2823] . . c:\windows\$hf_mig$\KB912945\SP2QFE\wininet.dll
.
[7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[7] 2004-08-04 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
.
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
.
[7] 2004-08-04 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows\regedit.exe
.
[7] 2004-08-04 . 4FE9D9FA62D020E35E0AC6D1AEEB96F0 . 1281536 . . [5.1.2600.2180] . . c:\windows\system32\ole32.dll
.
[7] 2004-08-04 . 2EB58F9DCD6AB320B46744A4EA48B2D2 . 406528 . . [1.0420.2600.2180] . . c:\windows\system32\usp10.dll
.
[7] 2004-08-04 . CBCD254547689BFF80C9F547B20911E9 . 4096 . . [5.3.2600.2180] . . c:\windows\system32\ksuser.dll
[7] 2004-08-04 . CBCD254547689BFF80C9F547B20911E9 . 4096 . . [5.3.2600.2180] . . c:\windows\system32\dllcache\ksuser.dll
.
[7] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll
.
[7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
.
[7] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll
.
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll
.
[7] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
.
[7] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
[7] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\dllcache\shsvcs.dll
[7] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
.
[7] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll
.
[7] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll
.
[7] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll
.
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\termsrv.dll
.
[7] 2004-08-04 . 765B30C776A1780B46B479FE614F707C . 344064 . . [5.1.2600.2180] . . c:\windows\system32\hnetcfg.dll
.
[7] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[7] 2004-08-04 03:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\system32\dllcache\aec.sys
[7] 2004-08-04 03:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\system32\drivers\aec.sys
.
[7] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\AGP440.SYS
.
[7] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys
.
[7] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[7] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\dllcache\mfc40u.dll
.
[7] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll
.
[7] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
.
[7] 2007-02-28 . 2DFB215E291E3D9B1CF9A6739B3BF16C . 2017280 . . [5.1.2600.3093] . . c:\windows\system32\ntkrnlpa.exe
[7] 2007-02-28 . A58AC1C6199EF34228ABEE7FC057AE09 . 2015744 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\system32\dllcache\ntkrnlpa.exe
.
[7] 2004-08-04 10:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll
.
[7] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[7] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\upnphost.dll
[7] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\dllcache\upnphost.dll
.
[7] 2004-08-04 . 55E148C01296696588EAFA425782C3E8 . 367616 . . [5.3.2600.2180] . . c:\windows\system32\dsound.dll
.
[7] 2004-08-04 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows\system32\d3d9.dll
.
[7] 2004-08-04 . 7ED462F353B3D915A418A689FA881F96 . 266240 . . [5.03.2600.2180] . . c:\windows\system32\ddraw.dll
.
[7] 2004-08-04 10:00 . B48D3193DD1474DCBCC32BF4779AC698 . 83456 . . [5.1.2600.2180] . . c:\windows\system32\olepro32.dll
.
[7] 2004-08-04 . 96492C721C6EA517E2BFD5381FEF55E3 . 39936 . . [5.1.2600.2180] . . c:\windows\system32\perfctrs.dll
.
[7] 2004-08-04 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\system32\version.dll
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie8\iexplore.exe
.
.
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2007-02-28 . E6679C3023B17D8B78946BC5DF53FA20 . 2137600 . . [5.1.2600.3093] . . c:\windows\system32\ntoskrnl.exe
[7] 2007-02-28 . 1220FAF071DEA8653EE21DE7DCDA8BFD . 2136064 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
.
[7] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll
.
[7] 2004-08-04 . 2B281958F5D0CF99ED626E3EF39D5C8D . 174592 . . [5.1.2600.2180] . . c:\windows\system32\w32time.dll
.
[7] 2006-12-19 . D9F097AA3B97034D3358A01B43E635B2 . 333824 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB927802\SP2QFE\wiaservc.dll
[7] 2006-12-19 . B6763F8534AC547CF1AF98AFDFF2EDC8 . 333824 . . [5.1.2600.3051] . . c:\windows\system32\wiaservc.dll
[7] 2006-12-19 . B6763F8534AC547CF1AF98AFDFF2EDC8 . 333824 . . [5.1.2600.3051] . . c:\windows\system32\dllcache\wiaservc.dll
.
[7] 2004-08-04 . 3B4702155BB2AE9DC00C06A68834BDFA . 18944 . . [5.1.2600.2180] . . c:\windows\system32\midimap.dll
.
[7] 2006-06-26 . B5D08C96B2DADAF5171FB69E341B272B . 7680 . . [5.1.2600.2938] . . c:\windows\$hf_mig$\KB920683\SP2QFE\rasadhlp.dll
[7] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\system32\rasadhlp.dll
[7] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\system32\dllcache\rasadhlp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-11-17 52848]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-03 198160]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-23 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\documents and settings\steve\Start Menu\Programs\Startup\
Shortcut to SDMain.lnk - c:\program files\Spybot - Search & Destroy\SDMain.exe [2011-8-18 414552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-9 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-7-31 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-31 50688]
.
[HKLM\~\startupfolder\C:^Documents and Settings^steve^Start Menu^Programs^Startup^_uninst_90142563.lnk]
path=c:\documents and settings\steve\Start Menu\Programs\Startup\_uninst_90142563.lnk
backup=c:\windows\pss\_uninst_90142563.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-06 23:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
2011-08-18 06:34 512992 ----a-w- c:\documents and settings\steve\Desktop\sdsetup_revwire207.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-08-12 21:37 4603264 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VERIZONDM]
2010-06-11 13:37 206120 ----a-w- c:\program files\VERIZONDM\bin\sprtcmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\steve\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2011 7:06 PM 136176]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe /service /p verizondm --> c:\program files\VERIZONDM\bin\sprtsvc.exe [?]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe /p verizondm --> c:\program files\VERIZONDM\bin\tgsrvc.exe [?]
S3 {380014DB-5CCC-4339-A514AAAB6A3B43B8};{380014DB-5CCC-4339-A514AAAB6A3B43B8};\??\c:\windows\TEMP\1DB.tmp --> c:\windows\TEMP\1DB.tmp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2011 7:06 PM 136176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tghpunaf
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 23:06]
.
2011-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 23:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stevefisk.net/start/work_start.htm
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{15F3E135-1B79-42C0-9363-45F0626A4F56}: NameServer = 24.92.226.11,24.92.226.12
TCP: Interfaces\{2640A5B6-28DF-4929-879B-37938A9B0318}: NameServer = 24.92.226.11,24.92.226.12
FF - ProfilePath - c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.stevefisk.net/start/work_start.htm
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51677
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
SafeBoot-09293461.sys
MSConfigStartUp-Bmunimayobi - c:\windows\trsase2.dll
AddRemove-AceFTP 3 Freeware - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-21 00:32
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{380014DB-5CCC-4339-A514AAAB6A3B43B8}]
"ImagePath"="\??\c:\windows\TEMP\1DB.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c1,02,3e,2b,9e,63,aa,4b,b2,d1,29,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c1,02,3e,2b,9e,63,aa,4b,b2,d1,29,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\browselc.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Dell\MediaDirect\Kernel\Video\CLMedia.dll
c:\windows\system32\quartz.dll
c:\program files\Dell\MediaDirect\Kernel\Video\CLM1Splter.ax
c:\program files\Dell\MediaDirect\Kernel\Video\CLM2Splter.ax
c:\windows\system32\dxmasf.dll
c:\windows\system32\DRMClien.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-21 00:39:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-21 04:39
.
Pre-Run: 8,243,224,576 bytes free
Post-Run: 8,470,327,296 bytes free
.
- - End Of File - - E1F73D045F4679CB0A8623215887BC7A



------------------


I think I have like, "Digital Legonaire's Disease". :-)
  • 0

#10
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
A couple of points that seem relevant here:

1.) Combofix popped up and said I had "The Rootkit Zero Access". It said it was in the TCP/IP, and that it was a difficult rootkit to remove.

I guess that tells us why I can't get online. On a related note, (I think), ever since this got infected, when the machine first starts up it launches, "Windows Installer". If I hit "Cancel", it slowly stops trying that, and boots up almost fully after that.

If I let the installer continue, it trys to install "Verizon something or other", and then stops when it says it needs a CD ROM that is not present. I have Verizon DSL at home, and I connect to the router wirelessly. I don't know if the virus itself did this, or if it happened when I tried to remove the rootkit. I hate this part. I am not good at networks or getting online. Not my forte.

2.) When I try to launch some programs, I get the popup saying I don't have permission. I think this has something to do with user manager. I think the rootkit took over- like "Invasion of the Bodysnatchers". I have a feeling this is going to be tough to fix, and I won't like it.

3.) For some reason, after I got rid of some of this, some of the shortcuts icons on my desktop turned into just standard images, not the individiaul pictures. I do know how to fix that, but I think it's related to the user permissions thing. Dunno, just a hunch.

Alright, I am just going to run the Zero Access remover.


(You kids at home don't try this- these people are trained professionals.)
  • 0

Advertisements


#11
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OH! And....

"WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!"


It did. And that was of course the first thing I tried when this happened. But it wouldn't let me go through with rolling it back. Before I tried to remove this myself, there were indeed install points, and I manually rolled it back a few days. (By doing the risky move of cutting and pasting the indidual reg entries.)

Not sure why it says it isn't installed now.
  • 0

#12
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Those other scans come back clean. And the Zero Access remover says I don't have the rootkit.


BUT....

I still can't access Windows Firewall. When I try to get to it, it says I can't, that I should go to Control Panel, and click on Windows Firewall. When I try that, I get a popup that says something like....

"Sorry. Windows cannot access the Windows Firewall/ ISC Internet Sharing "


To me, that sure sounds about the same as having "zero access", no?


Grrrrrrr. Now what?
  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Best to reinstall the Recovery Console (not to be confused with System Recovery):

http://www.bleepingc...manual_recovery

Combofix doesn't work as well without it.

Cf is showing a few things I don't like:

These two files look like they have been tampered with:

2011-07-25 23:10 . 2004-08-10 17:51 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-07-16 02:04 . 2004-08-10 18:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys

There is a random named service which runs from a temp folder. It might be some scan you have tried but I don't like the looks of it:

S3 {380014DB-5CCC-4339-A514AAAB6A3B43B8};{380014DB-5CCC-4339-A514AAAB6A3B43B8};\??\c:\windows\TEMP\1DB.tmp --> c:\windows\TEMP\1DB.tmp [?]

This thing is definitely evil:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tghpunaf
but it's easier to remove with OTL so we will see how that works before trying a CFScript

Copy the following:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.*
%systemroot%\*. /mp /s
%systemroot%\System32\config\*.sav
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.exe
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Update\*.*
CREATERESTOREPOINT
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
color 9f & set /c
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%systemroot%\AppPatch\Custom\*.*
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5
%PROGRAMFILES%\Internet Explorer\iexplore.exe /md5
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
HKCU\Software\Microsoft\Command Processor\AutoRun
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
HKCU\Software\Policies\Microsoft\Windows\System\Scripts
HKLM\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers
HKLM\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\shellex\ColumnHandlers
HKLM\Software\Classes\Directory\shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Background\shellex\ColumnHandlers
HKLM\Software\Classes\Directory\Background\shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\Background\shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Background\shellex\PropertySheetHandlers
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
HKLM\Software\Classes\Folder\shellex\CopyHookHandlers
HKLM\Software\Microsoft\Command Processor\AutoRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug
HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping
HKLM\Software\Policies\Microsoft\Windows\System\Scripts
HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
HKLM\System\CurrentControlSet\Control\Print\Monitors
HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKLM\System\CurrentControlSet\Control\SafeBoot\Option\UseAlternateShell
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKLM\System\CurrentControlSet\Control\WOW\cmdline
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
type %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Settings.ini /c
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
/md5start
tcpip.sys
termdd.sys
/md5stop


Run OTL and paste the above into the Custom Scan/Fixes box then RUN SCAN. Copy and Paste the log you get.

Ron
  • 0

#14
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Best to reinstall the Recovery Console (not to be confused with System Recovery):

http://www.bleepingc...manual_recovery



OK. But remember, I have to download from another machine and use a flash drive, not easy. I'll do whatever it takes. I sure don't like what I have been reading about this bugger.

I'll see about the recovery console now...
  • 0

#15
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, I started that little journey to (re) install the recovery console. It sent my to Microsoft's site, and I got a headache. I don't have a Windows disk, and they want me to download a boot disk.

I have a feeling that given how tired I am, and that this is Microsoft I am dealing with here, that this will be productive right now. Looks like a way bigger project than it ought to be.

Besides, you want me to do the other thing right now, right? The OTL deal?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP