Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
OK Do the OTL that's easy. The other one is not so bad but it can wait.
  • 0

Advertisements


#17
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
OK, here is the latest OTL log. How;s it looking?

==========

OTL logfile created on: 8/21/2011 2:07:17 AM - Run 2
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\steve\Desktop\geekstogo
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.11 Mb Total Physical Memory | 707.31 Mb Available Physical Memory | 69.20% Memory free
2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.25% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.18 Gb Total Space | 7.94 Gb Free Space | 7.27% Space Free | Partition Type: NTFS
Drive F: | 7.47 Gb Total Space | 0.28 Gb Free Space | 3.68% Space Free | Partition Type: FAT32

Computer Name: D6YKGDD1 | User Name: steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/20 16:44:24 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\geekstogo\OTL.com
PRC - [2009/03/03 13:50:33 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/06/06 16:28:18 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2007/05/14 15:23:32 | 001,191,936 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/11/02 15:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
PRC - [2005/07/22 23:25:06 | 000,172,032 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
PRC - [2005/07/22 23:25:04 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2007/06/06 16:35:02 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2007/06/06 16:34:54 | 001,474,560 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2007/05/14 15:24:00 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2007/05/09 15:59:44 | 000,086,016 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2005/10/13 14:53:36 | 000,090,223 | ---- | M] () -- C:\Program Files\Dell\QuickSet\preflibcl.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - File not found [Auto | Stopped] -- -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - [2007/08/09 08:37:20 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)


========== Driver Services (SafeList) ==========

DRV - [2007/06/06 16:28:16 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/05/09 15:59:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/05/08 22:49:02 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/05/08 22:46:12 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/05/08 22:46:08 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/05/08 22:46:06 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/04/23 22:15:46 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/04/23 22:15:46 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/04/23 22:15:44 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/18 20:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\packet.sys -- (Packet)
DRV - [2006/11/02 13:31:38 | 000,103,168 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec02.sys -- (DXEC02)
DRV - [2005/11/17 04:33:52 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/02/16 17:51:26 | 000,016,128 | ---- | M] (Digital Networks North America, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RIOUNIV.SYS -- (RIOUNIV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.stevefisk.../work_start.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Oracle)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.50524.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\WINDOWS\system32\TVUAx\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C3D7C3E1-0A58-4A19-BEFF-2A8C2E7E65DE}: C:\Documents and Settings\steve\Local Settings\Application Data\{C3D7C3E1-0A58-4A19-BEFF-2A8C2E7E65DE}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/02 18:53:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/02 18:53:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/03 11:57:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/05/29 17:24:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\steve\Application Data\Mozilla\Extensions
[2011/08/17 03:15:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\extensions
[2011/08/02 18:54:12 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/08/02 18:47:43 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2011/08/02 18:51:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/08 03:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/07/19 18:29:14 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/08/21 00:30:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk = C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ()
O4 - Startup: C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk = C:\Program Files\Spybot - Search & Destroy\SDMain.exe (Safer Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: tghpunaf - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^steve^Start Menu^Programs^Startup^_uninst_90142563.lnk - - File not found
MsConfig - StartUpReg: Malwarebytes' Anti-Malware - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: Spyware Doctor - hkey= - key= - C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe ()
MsConfig - StartUpReg: SUPERAntiSpyware - hkey= - key= - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe ()
MsConfig - StartUpReg: VERIZONDM - hkey= - key= - C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)

SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/08/21 00:39:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/08/20 23:50:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/20 23:50:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/20 23:50:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/20 23:50:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/20 23:50:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/08/20 23:50:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/20 22:55:24 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/20 22:55:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/20 22:55:17 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/20 16:57:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\geekstogo
[2011/08/19 20:20:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\steve\Start Menu\Programs\Administrative Tools
[2011/08/19 20:20:42 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\steve\Desktop\dds.scr
[2011/08/19 19:53:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\bleeping
[2011/08/18 13:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/08/18 07:59:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/08/18 07:12:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/08/18 03:18:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\dell-project
[2011/08/18 03:07:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\New Folder
[2011/08/18 02:02:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\New Folder (3)
[2011/08/17 22:19:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Start Menu\Programs\RegCure
[2011/08/17 22:19:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegCure
[2011/08/17 12:59:11 | 000,000,000 | ---D | C] -- C:\MGtools
[2011/08/17 12:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com
[2011/08/17 12:56:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/08/17 12:56:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/08/17 12:56:37 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/08/17 12:42:12 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\steve\Desktop\RootRepeal.exe
[2011/08/17 12:26:44 | 012,483,776 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\steve\Desktop\SUPERAntiSpyware.exe
[2011/08/17 12:02:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\showthread.php_files
[2011/08/17 12:00:59 | 016,897,824 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\steve\Desktop\jre-6u27-windows-i586.exe
[2011/08/17 03:52:29 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/08/17 03:51:56 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\steve\Desktop\esetsmartinstaller_enu.exe
[2011/08/17 03:41:07 | 000,309,320 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2011/08/17 03:39:32 | 007,045,869 | ---- | C] (BitDefender LLC) -- C:\Documents and Settings\steve\Desktop\BDRemovalTool_TDSS_TDL4__x86.exe
[2011/08/17 03:19:01 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/08/17 02:54:01 | 000,000,000 | ---D | C] -- C:\Program Files\RegCure
[2011/08/17 02:48:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\steve\Recent
[2011/08/17 01:58:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\tdsskiller
[2011/08/16 17:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401
[2011/08/10 00:49:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\Copy of New Folder (2)
[2011/08/10 00:42:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\New Folder (2)
[2011/08/09 19:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/08/09 19:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/08/09 19:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/08/09 19:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Temp
[2011/08/09 19:07:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/08/09 19:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/08/09 19:06:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Google
[2011/08/03 17:02:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\dwhelper
[2011/08/02 18:21:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\8-2
[2011/07/26 17:13:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\7-26
[2011/07/25 19:10:21 | 000,359,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tcpip.copy
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/21 01:22:20 | 000,041,335 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/08/21 01:22:04 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/21 01:21:37 | 1071,837,184 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/21 01:18:06 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/21 00:30:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/08/20 23:31:11 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\ComboFix.PIF
[2011/08/20 22:55:24 | 000,000,791 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/19 20:18:52 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\steve\Desktop\dds.scr
[2011/08/19 19:59:34 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\steve\defogger_reenable
[2011/08/18 15:27:54 | 000,000,657 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Shortcut to firefox.lnk
[2011/08/18 15:27:01 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Shortcut to mbam.lnk
[2011/08/18 15:09:26 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk
[2011/08/18 14:30:10 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/18 13:13:42 | 000,000,862 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/08/18 13:13:42 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Spybot - Search & Destroy.lnk
[2011/08/18 10:00:10 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Shortcut to SDMain.lnk
[2011/08/18 08:40:08 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2011/08/18 08:36:49 | 000,001,409 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\settings.dat
[2011/08/18 08:36:49 | 000,000,111 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\dht.dat
[2011/08/18 08:36:49 | 000,000,099 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\rss.dat
[2011/08/18 08:34:25 | 000,000,058 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\resume.dat.old
[2011/08/18 08:03:54 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2011/08/18 07:33:12 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/18 06:27:28 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\settings.dat.old
[2011/08/18 05:58:03 | 000,043,084 | ---- | M] () -- C:\Documents and Settings\steve\My Documents\cc_20110818_055739.reg
[2011/08/18 03:30:34 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\exefix_xp.com
[2011/08/18 02:34:16 | 000,512,992 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2011/08/17 17:09:49 | 000,002,333 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
[2011/08/17 13:34:30 | 004,175,495 | R--- | M] () -- C:\Documents and Settings\steve\Desktop\ComboFix.exe
[2011/08/17 13:23:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2363981562
[2011/08/17 13:20:40 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\avenger.zip
[2011/08/17 13:03:03 | 016,941,112 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\SAS_75270.COM
[2011/08/17 12:59:04 | 002,419,140 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MGtools.exe
[2011/08/17 12:56:40 | 000,001,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/08/17 12:53:33 | 000,068,684 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\GooredFix_d7057.html
[2011/08/17 12:31:35 | 102,578,536 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\setup_11.0.0.1245.x01_2011_08_17_13_14.exe
[2011/08/17 12:31:33 | 012,483,776 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\steve\Desktop\SUPERAntiSpyware.exe
[2011/08/17 12:24:13 | 000,465,298 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\RootRepeal.rar
[2011/08/17 12:15:46 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MBRCheck.exe
[2011/08/17 12:04:25 | 016,897,824 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\steve\Desktop\jre-6u27-windows-i586.exe
[2011/08/17 12:02:18 | 000,091,877 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\showthread.php.htm
[2011/08/17 11:30:41 | 000,309,320 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2011/08/17 03:52:21 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\steve\Desktop\esetsmartinstaller_enu.exe
[2011/08/17 03:49:38 | 000,000,345 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\rkill.pif.htm
[2011/08/17 03:47:28 | 001,404,720 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\TDSSKiller.exe
[2011/08/17 03:40:55 | 007,045,869 | ---- | M] (BitDefender LLC) -- C:\Documents and Settings\steve\Desktop\BDRemovalTool_TDSS_TDL4__x86.exe
[2011/08/17 02:54:01 | 000,000,459 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\RegCure.lnk
[2011/08/17 02:54:01 | 000,000,441 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2011/08/17 01:57:05 | 001,388,507 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\tdsskiller.zip
[2011/08/17 00:47:23 | 000,010,120 | ---- | M] () -- C:\Documents and Settings\steve\My Documents\cc_20110817_004708.reg
[2011/08/16 23:43:06 | 000,041,335 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/08/09 19:09:15 | 000,000,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/09 19:08:46 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/09 19:08:46 | 000,001,798 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/07/23 10:56:25 | 000,001,641 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Firefox Profile Manager.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/20 23:50:17 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/20 23:50:17 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/20 23:50:17 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/20 23:50:17 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/20 23:50:17 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/20 23:31:11 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\ComboFix.PIF
[2011/08/20 22:55:24 | 000,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/19 19:59:34 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\steve\defogger_reenable
[2011/08/18 15:27:54 | 000,000,657 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Shortcut to firefox.lnk
[2011/08/18 15:27:01 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Shortcut to mbam.lnk
[2011/08/18 15:09:26 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk
[2011/08/18 14:28:24 | 000,001,917 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/08/18 13:13:42 | 000,000,862 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/08/18 13:13:42 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Spybot - Search & Destroy.lnk
[2011/08/18 10:00:10 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Shortcut to SDMain.lnk
[2011/08/18 09:35:57 | 1071,837,184 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/18 08:40:08 | 000,004,128 | ---- | C] () -- C:\INFCACHE.1
[2011/08/18 08:36:49 | 000,000,111 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\dht.dat
[2011/08/18 08:36:49 | 000,000,099 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\rss.dat
[2011/08/18 08:24:24 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\resume.dat.old
[2011/08/18 07:59:34 | 000,512,992 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2011/08/18 05:57:42 | 000,043,084 | ---- | C] () -- C:\Documents and Settings\steve\My Documents\cc_20110818_055739.reg
[2011/08/18 03:42:47 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\exefix_xp.com
[2011/08/17 13:33:47 | 004,175,495 | R--- | C] () -- C:\Documents and Settings\steve\Desktop\ComboFix.exe
[2011/08/17 13:21:55 | 000,000,574 | ---- | C] () -- C:\cleanup.bat
[2011/08/17 13:20:35 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\avenger.zip
[2011/08/17 12:59:54 | 016,941,112 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\SAS_75270.COM
[2011/08/17 12:58:35 | 002,419,140 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\MGtools.exe
[2011/08/17 12:56:40 | 000,001,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/08/17 12:53:32 | 000,068,684 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\GooredFix_d7057.html
[2011/08/17 12:42:19 | 000,001,409 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\settings.dat
[2011/08/17 12:42:19 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\settings.dat.old
[2011/08/17 12:24:11 | 000,465,298 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\RootRepeal.rar
[2011/08/17 12:15:49 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\MBRCheck.exe
[2011/08/17 12:09:18 | 102,578,536 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\setup_11.0.0.1245.x01_2011_08_17_13_14.exe
[2011/08/17 12:02:17 | 000,091,877 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\showthread.php.htm
[2011/08/17 03:49:37 | 000,000,345 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\rkill.pif.htm
[2011/08/17 03:23:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\2363981562
[2011/08/17 02:54:01 | 000,000,459 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\RegCure.lnk
[2011/08/17 02:54:01 | 000,000,441 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2011/08/17 01:57:03 | 001,388,507 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\tdsskiller.zip
[2011/08/17 00:47:11 | 000,010,120 | ---- | C] () -- C:\Documents and Settings\steve\My Documents\cc_20110817_004708.reg
[2011/08/09 19:09:15 | 000,000,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/09 19:08:46 | 000,001,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/09 19:08:46 | 000,001,798 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/09 19:07:04 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/09 19:07:03 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/23 10:35:51 | 000,001,641 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Firefox Profile Manager.lnk
[2011/01/14 16:52:21 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/19 16:12:21 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/07/07 13:08:18 | 000,000,059 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2009/07/07 13:07:36 | 000,000,058 | ---- | C] () -- C:\WINDOWS\EPSPRX580.ini
[2009/07/07 12:28:59 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2009/07/07 12:28:59 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/07/07 12:28:59 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2009/07/07 12:28:59 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/07/07 12:28:59 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2009/07/07 12:28:59 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2009/07/07 12:28:59 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2009/07/07 12:28:59 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2009/07/07 12:28:59 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2009/07/07 12:28:59 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2009/07/07 12:28:59 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2009/07/07 12:28:59 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2009/07/07 12:28:59 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2009/07/07 12:28:59 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2009/07/07 12:28:59 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2009/07/07 12:28:59 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/06/02 15:59:00 | 000,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2009/06/02 15:46:52 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2009/06/02 15:45:56 | 000,001,393 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2009/06/02 15:45:56 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2009/06/02 15:45:51 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2009/05/19 16:35:29 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/09 07:51:52 | 000,000,147 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/09 07:10:27 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2009/03/28 17:25:34 | 000,010,756 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2007/12/30 00:32:58 | 000,001,158 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/08/08 01:56:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/07/31 01:41:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/07/31 01:31:34 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2007/07/31 01:27:06 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/07/31 01:27:04 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/07/31 01:10:21 | 000,041,335 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2007/07/31 01:04:24 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2007/07/31 01:04:23 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/07/31 01:04:05 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/07/31 01:04:05 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/07/31 01:04:05 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/07/31 01:04:04 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/07/31 01:04:04 | 001,018,804 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/07/31 01:04:04 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/07/31 01:04:03 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/07/31 01:04:02 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/07/31 01:04:01 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/07/31 01:03:03 | 000,001,118 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/07/22 23:25:07 | 000,005,428 | ---- | C] () -- C:\WINDOWS\hpfmdl_s04_main.dat
[2005/07/22 23:25:07 | 000,000,362 | ---- | C] () -- C:\WINDOWS\hpfins_s04_main.dat
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:57:15 | 000,202,528 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:51:21 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 13:51:20 | 000,405,878 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 13:51:20 | 000,064,262 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 13:51:17 | 006,566,656 | ---- | C] () -- C:\WINDOWS\System32\htscxjgq.dat
[2004/08/10 13:51:17 | 000,633,600 | ---- | C] () -- C:\WINDOWS\System32\kbuxwhib.dat
[2004/08/10 13:51:17 | 000,219,392 | ---- | C] () -- C:\WINDOWS\System32\viliuyzf.dat
[2004/08/10 13:51:17 | 000,050,944 | ---- | C] () -- C:\WINDOWS\System32\biooqdck.dat
[2004/08/10 13:51:17 | 000,047,360 | ---- | C] () -- C:\WINDOWS\System32\ingfjqqb.dat
[2004/08/10 13:51:17 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\hyfizoei.dat
[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 13:50:56 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/08/18 08:04:38 | 000,000,886 | ---- | M] () -- C:\avenger.txt
[2007/08/06 22:04:00 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/08/18 08:03:54 | 000,000,574 | ---- | M] () -- C:\cleanup.bat
[2011/08/21 00:39:34 | 000,029,946 | ---- | M] () -- C:\ComboFix.txt
[2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/07/31 01:06:30 | 000,005,979 | RH-- | M] () -- C:\dell.sdr
[2011/08/21 01:21:37 | 1071,837,184 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/18 08:40:08 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/10 14:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2004/08/10 14:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 06:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2011/08/21 01:21:20 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2011/08/17 02:55:30 | 000,000,268 | ---- | M] () -- C:\rkill.log
[2011/08/17 12:49:46 | 000,000,016 | ---- | M] () -- C:\RootRepeal report 08-17-11 (12-49-46).txt
[2007/07/31 01:37:29 | 000,000,071 | ---- | M] () -- C:\SystemInfo.ini
[2011/07/15 22:03:45 | 000,052,474 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_15.07.2011_22.02.06_log.txt
[2011/07/15 22:06:48 | 000,050,070 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_15.07.2011_22.05.58_log.txt
[2011/08/16 23:47:02 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_16.08.2011_23.46.47_log.txt
[2011/08/17 01:53:44 | 000,051,950 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_01.52.55_log.txt
[2011/08/17 01:56:35 | 000,000,414 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_01.56.25_log.txt
[2011/08/17 01:58:50 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_01.58.38_log.txt
[2011/08/17 02:01:15 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_02.00.54_log.txt
[2011/08/17 02:04:12 | 000,004,314 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_02.03.52_log.txt
[2011/08/17 02:07:05 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_02.06.42_log.txt
[2011/08/17 03:22:06 | 000,150,274 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_03.16.24_log.txt
[2011/08/17 03:28:45 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_03.28.35_log.txt
[2011/08/17 03:29:14 | 000,017,054 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_03.28.59_log.txt
[2011/08/17 03:29:37 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_03.29.28_log.txt
[2011/08/17 03:30:24 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_03.30.16_log.txt
[2011/08/17 11:27:23 | 000,015,014 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_11.27.13_log.txt
[2011/08/17 11:55:57 | 000,015,016 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_11.55.48_log.txt
[2011/08/17 12:32:20 | 000,015,016 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_12.32.12_log.txt
[2011/08/17 13:47:27 | 000,052,214 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_17.08.2011_13.45.11_log.txt
[2011/08/18 06:21:14 | 000,050,010 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_18.08.2011_06.20.48_log.txt
[2011/08/18 06:21:22 | 000,002,138 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_18.08.2011_06.21.15_log.txt
[2011/08/18 09:40:59 | 000,002,138 | ---- | M] () -- C:\TDSSKiller.2.5.11.0_18.08.2011_09.40.50_log.txt
[2011/08/17 01:58:22 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.15.0_17.08.2011_01.58.13_log.txt
[2011/08/17 03:44:30 | 000,015,014 | ---- | M] () -- C:\TDSSKiller.2.5.15.0_17.08.2011_03.44.03_log.txt
[2011/08/17 03:47:46 | 000,015,014 | ---- | M] () -- C:\TDSSKiller.2.5.15.0_17.08.2011_03.47.38_log.txt
[2011/08/17 11:30:04 | 000,014,774 | ---- | M] () -- C:\TDSSKiller.2.5.15.0_17.08.2011_11.29.49_log.txt
[2011/08/21 01:17:10 | 000,049,768 | ---- | M] () -- C:\TDSSKiller.2.5.16.0_21.08.2011_01.15.16_log.txt
[2011/08/17 00:41:47 | 000,000,137 | ---- | M] () -- C:\VundoFix.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.* >
[2003/06/18 17:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/08/10 13:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2004/08/10 13:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2004/08/10 13:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.exe >

< %systemroot%\Fonts\*.ini >
[2004/08/10 14:03:42 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >
[2007/05/17 21:32:50 | 000,326,742 | ---- | M] () -- C:\WINDOWS\Vostro_NB_1280x864_01.jpg

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Update\*.* >

< %PROGRAMFILES%\*. >
[2009/03/03 12:52:43 | 000,000,000 | ---D | M] -- C:\Program Files\7-Zip
[2007/08/09 08:30:21 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/02/15 01:05:18 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/07/07 13:10:10 | 000,000,000 | ---D | M] -- C:\Program Files\ArcSoft
[2011/08/17 17:32:32 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2007/07/31 01:27:49 | 000,000,000 | ---D | M] -- C:\Program Files\Broadcom
[2009/06/02 15:46:41 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2011/08/09 19:08:46 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2011/08/21 00:22:52 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2004/08/10 14:02:08 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2007/07/31 01:28:39 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2007/07/31 01:31:40 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2007/07/31 01:31:19 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2011/08/20 22:42:47 | 000,000,000 | ---D | M] -- C:\Program Files\Dell Network Assistant
[2007/07/31 01:27:33 | 000,000,000 | ---D | M] -- C:\Program Files\Digital Line Detect
[2007/07/31 01:37:25 | 000,000,000 | ---D | M] -- C:\Program Files\EarthLink Setup
[2009/07/07 13:11:04 | 000,000,000 | ---D | M] -- C:\Program Files\epson
[2009/07/07 13:09:43 | 000,000,000 | ---D | M] -- C:\Program Files\EPSON Print CD
[2011/08/17 03:52:29 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2009/02/23 10:10:14 | 000,000,000 | ---D | M] -- C:\Program Files\FrostWire
[2011/08/09 19:08:29 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/03/28 17:27:36 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/03/28 17:26:08 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009/07/07 13:10:09 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/10/13 14:57:38 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/02/15 01:06:29 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2009/02/15 01:06:51 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/07/19 18:29:06 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/10/13 14:55:58 | 000,000,000 | ---D | M] -- C:\Program Files\Kodak
[2007/08/09 08:37:15 | 000,000,000 | ---D | M] -- C:\Program Files\Macromedia
[2011/08/20 22:55:27 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/14 17:01:26 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/05/19 16:34:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2004/08/10 14:04:18 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/06/13 09:28:04 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft IntelliPoint
[2009/05/19 16:33:43 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/07/30 01:14:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/02/14 17:01:27 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2009/05/19 16:31:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2007/07/31 01:27:25 | 000,000,000 | ---D | M] -- C:\Program Files\Modem Diagnostic Tool
[2004/08/10 14:02:30 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/08/18 15:27:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2011/08/19 19:54:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Thunderbird
[2004/08/10 14:01:16 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2004/08/10 14:01:24 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2004/08/10 14:02:28 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009/02/14 17:01:28 | 000,000,000 | ---D | M] -- C:\Program Files\NetWaiting
[2009/04/14 08:20:58 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Internet Security
[2004/08/10 14:01:34 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2007/07/31 01:22:06 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/03/12 19:43:35 | 000,000,000 | ---D | M] -- C:\Program Files\QuickPar
[2009/02/15 01:06:00 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/03/03 13:50:34 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2011/08/18 02:10:03 | 000,000,000 | ---D | M] -- C:\Program Files\RegCure
[2009/02/16 20:14:07 | 000,000,000 | ---D | M] -- C:\Program Files\Rio
[2007/07/31 01:30:30 | 000,000,000 | ---D | M] -- C:\Program Files\Sigmatel
[2011/08/18 15:10:42 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/17 14:24:06 | 000,000,000 | ---D | M] -- C:\Program Files\StreamTorrent 1.0
[2011/08/17 17:32:32 | 000,000,000 | ---D | M] -- C:\Program Files\SUPERAntiSpyware
[2007/07/31 01:34:46 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2007/07/31 01:09:48 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2011/03/10 13:05:43 | 000,000,000 | ---D | M] -- C:\Program Files\Thumbs7
[2011/06/22 14:22:10 | 000,000,000 | ---D | M] -- C:\Program Files\TVUPlayer
[2004/08/10 14:08:30 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/02/16 13:05:07 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2010/06/24 18:41:11 | 000,000,000 | ---D | M] -- C:\Program Files\Verizon
[2010/06/24 18:34:23 | 000,000,000 | ---D | M] -- C:\Program Files\VERIZONDM
[2009/02/17 02:09:23 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2007/08/09 08:46:38 | 000,000,000 | ---D | M] -- C:\Program Files\Visicom Media
[2009/03/12 19:42:14 | 000,000,000 | ---D | M] -- C:\Program Files\vso
[2007/07/31 01:31:06 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2004/08/10 14:01:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2004/08/10 14:02:52 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2004/08/10 14:04:18 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< color 9f & set /c >
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\steve\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D6YKGDD1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\steve
LOGONSERVER=\\D6YKGDD1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\steve\LOCALS~1\Temp
TMP=C:\DOCUME~1\steve\LOCALS~1\Temp
USERDOMAIN=D6YKGDD1
USERNAME=steve
USERPROFILE=C:\Documents and Settings\steve
windir=C:\WINDOWS

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2004/08/10 14:04:12 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/08/06 22:04:42 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2004/08/10 14:08:38 | 000,000,079 | -H-- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2009/03/28 17:24:34 | 013,925,032 | ---- | M] (Hewlett-Packard Company ) -- C:\Documents and Settings\steve\Desktop\3740_enu_win2k_xp.exe
[2009/03/17 09:40:02 | 043,083,040 | ---- | M] ( ) -- C:\Documents and Settings\steve\Desktop\AdbeRdr910_en_US_Std.exe
[2011/08/17 03:40:55 | 007,045,869 | ---- | M] (BitDefender LLC) -- C:\Documents and Settings\steve\Desktop\BDRemovalTool_TDSS_TDL4__x86.exe
[2010/07/18 14:08:36 | 003,396,176 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\steve\Desktop\ccsetup233.exe
[2011/08/17 13:34:30 | 004,175,495 | R--- | M] () -- C:\Documents and Settings\steve\Desktop\ComboFix.exe
[2011/08/17 03:52:21 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\steve\Desktop\esetsmartinstaller_enu.exe
[2011/08/17 12:04:25 | 016,897,824 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\steve\Desktop\jre-6u27-windows-i586.exe
[2011/08/17 12:15:46 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MBRCheck.exe
[2011/08/17 12:59:04 | 002,419,140 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MGtools.exe
[2007/06/18 15:22:56 | 002,244,280 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.) -- C:\Documents and Settings\steve\Desktop\PCConnect.exe
[2009/03/03 13:45:38 | 000,476,696 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\steve\Desktop\RealPlayer11GOLD.exe
[2009/08/13 11:14:17 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\steve\Desktop\RootRepeal.exe
[2011/08/18 02:34:16 | 000,512,992 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2011/08/17 12:31:35 | 102,578,536 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\setup_11.0.0.1245.x01_2011_08_17_13_14.exe
[2010/07/30 01:08:34 | 006,259,064 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Desktop\Silverlight.exe
[2011/08/17 12:31:33 | 012,483,776 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\steve\Desktop\SUPERAntiSpyware.exe
[2011/08/17 03:47:28 | 001,404,720 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\TDSSKiller.exe
[2009/02/16 13:04:48 | 000,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and Settings\steve\Desktop\utorrent.exe
[2010/07/18 16:36:32 | 000,096,978 | ---- | M] (Business Information Solutions) -- C:\Documents and Settings\steve\Desktop\VirtumundoBeGone.exe
[2010/07/18 16:28:32 | 000,119,808 | ---- | M] (Atribune.org) -- C:\Documents and Settings\steve\Desktop\VundoFix.exe
[2006/12/30 06:31:42 | 000,539,448 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Desktop\WindowsXP-KB923293-v4-x86-ENU.exe
[2009/07/30 12:06:40 | 000,629,288 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Desktop\WindowsXP-KB932823-v3-x86-ENU.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %systemroot%\AppPatch\Custom\*.* >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5 >
[2011/07/08 03:16:28 | 000,924,632 | ---- | M] (Mozilla Corporation) MD5=5FB5D1A2267831208B4EE46149AF7B18 -- C:\Program Files\Mozilla Firefox\firefox.exe

< %PROGRAMFILES%\Internet Explorer\iexplore.exe /md5 >
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe

< HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore >

< HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath >

< HKCU\Software\Microsoft\Command Processor\AutoRun >

< HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration >

< HKCU\Software\Policies\Microsoft\Windows\System\Scripts >

< HKLM\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers >

< HKLM\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers >

< HKLM\Software\Classes\Directory\shellex\ColumnHandlers >

< HKLM\Software\Classes\Directory\shellex\DragDropHandlers >

< HKLM\Software\Classes\Directory\Background\shellex\ColumnHandlers >

< HKLM\Software\Classes\Directory\Background\shellex\CopyHookHandlers >

< HKLM\Software\Classes\Directory\Background\shellex\DragDropHandlers >

< HKLM\Software\Classes\Directory\Background\shellex\PropertySheetHandlers >

< HKLM\Software\Classes\Folder\shellex\ColumnHandlers >

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]

< HKLM\Software\Classes\Folder\shellex\CopyHookHandlers >

< HKLM\Software\Microsoft\Command Processor\AutoRun >

< HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks >

< HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration >

< HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug >
"Auto" = 1
"Debugger" = drwtsn32 -p %ld -e %ld -g -- [2004/08/04 06:00:00 | 000,045,568 | ---- | M] (Microsoft Corporation)
"UserDebuggerHotKey" = 0

< HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping >

< HKLM\Software\Policies\Microsoft\Windows\System\Scripts >

< HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension >

< HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath >

< HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters >

< HKLM\System\CurrentControlSet\Control\Print\Monitors >

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\EPSON Stylus Photo RX580 Series 32MonitorBA]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\hpzsnt10]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\Local Port]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\Microsoft Shared Fax Monitor]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\USB Monitor]

< HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell >

< HKLM\System\CurrentControlSet\Control\SafeBoot\Option\UseAlternateShell >

< HKLM\System\CurrentControlSet\Control\Session Manager\Execute >

< HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute >

< HKLM\System\CurrentControlSet\Control\WOW\cmdline >

< HKLM\System\CurrentControlSet\Control\WOW\wowcmdline >

< type %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Settings.ini /c >

< HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot >
"AlternateShell" = cmd.exe -- [2004/08/04 06:00:00 | 000,388,608 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]


< MD5 for: TCPIP.SYS >
[2004/08/04 06:00:00 | 000,359,040 | ---- | M] (Microsoft Corporation) MD5=9F4B36614A0FC234525BA224957DE55C -- C:\i386\tcpip.sys
[2011/07/25 19:10:33 | 000,359,040 | ---- | M] (Microsoft Corporation) MD5=C81D6A930A7805F6DAA0C7902B99037E -- C:\WINDOWS\system32\drivers\tcpip.sys

< MD5 for: TERMDD.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:termdd.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:termdd.sys
[2004/08/04 02:01:08 | 000,040,840 | ---- | M] (Microsoft Corporation) MD5=A540A99C281D933F3D69D55E48727F47 -- C:\i386\termdd.sys
[2011/07/15 22:04:20 | 000,040,840 | ---- | M] (Microsoft Corporation) MD5=A540A99C281D933F3D69D55E48727F47 -- C:\WINDOWS\system32\drivers\termdd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794

< End of report >
  • 0

#18
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
For what it's worth, this all happened on Tuesday afternoon.

Whenever I get one of these, I can tell it's happening, and usually stop it cold. Usually it's when I am on a dubious website, the browswer slows, crashes, and then a quick check of taskmanager shows adobe just started. I stop the browser and adobe, then look under, "c/documents and settings/ me / ./...

then either "apps" or "local", then "apps. And I'll see something suspicious. After deleting that, and maybe Malwarebytes, all is well. so,.,..


This is the file I am suspicious of...

"[2011/08/16 17:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401"




For what it's worth. You're the expert. Not me. I'm just saying.
  • 0

#19
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Uggh. I just noticed the, "MD5 for: TCPIP.SYS" stuff.

I feel like if I go out into the kitchen right now, I'll find some Ukrainians going through the fridge or something, you know?

Posted Image
  • 0

#20
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"ZeroAccess Rootkit Guards Itself with a Tripwire "

http://malwaretips.c...with-a-Tripwire

"The latest generation of a rapidly evolving family of kernel-mode rootkits called, variously, ZeroAccess or Max++, seems to get more powerful and effective with each new variant. The rootkit infects a random system driver, overwriting its code with its own, infected driver, and hijacks the storage driver chain in order to hide its presence on the disk. But its own self-protection mechanism is its most interesting characteristic: It lays a virtual tripwire.

I’ve written about this rootkit in a few recent blog posts and in a white paper. On an infected computer, this new driver sets up a device called \Device\svchost.exe, and stores a fake PE file called svchost.exe – get it? The path is \Device\svchost.exe\svchost.exe. The driver then attaches itself to the disk device stack. The driver creates a new system process, called svchost.exe, pointing to the path: \\Globalroot\Device\svchost.exe\svchost.exe. This fake process serves as a kind of trap, specifically looking for the types of file operations performed by security software.

When a typical security scanner tries to analyze the rootkit-created svchost.exe file, the rootkit queues an initialized APC into the scanner’s own process, then calls the ExitProcess() function — essentially forcing the scanner to kill itself. The rootkit’s effectiveness, however, is hindered by a weakness in the way the rootkit filtered disk I/O. As it turned out, we can easily bypass the filtering technique and get to the masked data. We’ve also reversed the code the rootkit uses to generate domain names it will contact for command-and-control, and have provided a list of the domains it will use in the months of July, 2011 and August, 2011 so network managers can protect themselves proactively."

======================================


You know, if I was a guy who got rid of virii all day long, I would think this was very interesting.

But if I was a web designer who wants his laptop back, I would think it sucks. :-)
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Uninstall Frostwire. It's a virus delivery mechanism as far as I'm concerned.

Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:Services
tgsrvc_verizondm
sprtsvc_verizondm
380014DB-5CCC-4339-A514AAAB6A3B43B8
SASDIFSV
SASKUTIL

:OTL
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk = C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe ()
O4 - Startup: C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk = C:\Program Files\Spybot - Search & Destroy\SDMain.exe (Safer Networking Ltd.)
NetSvcs: tghpunaf - File not found

:files
C:\WINDOWS\system32\drivers\tcpip.sys|C:\i386\tcpip.sys /replace
C:\WINDOWS\system32\drivers\termdd.sys|C:\i386\termdd.sys /replace
c:\documents and settings\All Users\Application Data\pL15401GdHlG15401
c:\windows\TEMP\1DB.tmp 

:Commands
[EMPTYTEMP]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Run Combofux again and post the log.

Were you able to run aswwMBR?

Can I see the latest TDSSKiller log?

I'm about ready to go to bed. It's almost midnight here. It looks like you do not have a working antivirus. Just some remnants of Symantec.

Download and Save the free Avast installer.
http://www.avast.com...ivirus-download
Download and save the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Uninstall Symantec (save the product license key in case you decide to reinstall it:http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US)

Run the Norton Removal tool.

Reboot

Install Avast. (they will try to talk you in to buying the full product but the free version is what we want.)

Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK
Just before you go to bed:
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Ron
  • 0

#22
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Uninstall Frostwire. It's a virus delivery mechanism as far as I'm concerned.


It's a very nice record store as far as I am concerned. :-) But, well allright. You're my idol, so I'll uninstall it.

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Run Combofux again and post the log.

Were you able to run aswwMBR?

Can I see the latest TDSSKiller log?


Yes, and yes. They just said nothing found. But you can see whatever you want. It's 3 in the morning and you are helping me for free because you're a nice guy. You can see whatever you want. Give me a minute.
  • 0

#23
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Uninstall Frostwire. It's a virus delivery mechanism as far as I'm concerned.


I'm going to, But I'll tell you, it's never gotten me. Not once. It's always a website that uses a dropper via Adobe Reader. Always. Just as the guy described above.

But yeah, just for you, Frostwire is going buh-bye.
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I had OTL try and remove

"[2011/08/16 17:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pL15401GdHlG15401"

on the first pass and it claimed it couldn't find it. Probably something to do with the way this thing hides stuff. See if you can create a file in notepad (just type anything like "junk" in the text) and save it to C:\Documents and Settings\All Users\Application Data\ as "pL15401GdHlG15401" OK

(Can't have a file and a folder with the same name)

Ron
  • 0

#25
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
on the first pass and it claimed it couldn't find it. Probably something to do with the way this thing hides stuff. See if you can create a file in notepad (just type anything like "junk" in the text) and save it to C:\Documents and Settings\All Users\Application Data\ as "pL15401GdHlG15401" OK

(Can't have a file and a folder with the same name)



OK. Gotcha. Clever.

----
  • 0

Advertisements


#26
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
2011/08/21 03:15:45.0953 3544 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
2011/08/21 03:15:46.0000 3544 ================================================================================
2011/08/21 03:15:46.0000 3544 SystemInfo:
2011/08/21 03:15:46.0000 3544
2011/08/21 03:15:46.0000 3544 OS Version: 5.1.2600 ServicePack: 2.0
2011/08/21 03:15:46.0000 3544 Product type: Workstation
2011/08/21 03:15:46.0000 3544 ComputerName: D6YKGDD1
2011/08/21 03:15:46.0000 3544 UserName: steve
2011/08/21 03:15:46.0000 3544 Windows directory: C:\WINDOWS
2011/08/21 03:15:46.0000 3544 System windows directory: C:\WINDOWS
2011/08/21 03:15:46.0000 3544 Processor architecture: Intel x86
2011/08/21 03:15:46.0000 3544 Number of processors: 2
2011/08/21 03:15:46.0000 3544 Page size: 0x1000
2011/08/21 03:15:46.0000 3544 Boot type: Normal boot
2011/08/21 03:15:46.0000 3544 ================================================================================
2011/08/21 03:15:48.0171 3544 Initialize success
2011/08/21 03:15:49.0765 3600 ================================================================================
2011/08/21 03:15:49.0765 3600 Scan started
2011/08/21 03:15:49.0765 3600 Mode: Manual;
2011/08/21 03:15:49.0765 3600 ================================================================================
2011/08/21 03:15:51.0703 3600 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/08/21 03:15:52.0218 3600 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/21 03:15:52.0796 3600 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/21 03:15:53.0578 3600 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/08/21 03:15:54.0296 3600 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/08/21 03:15:54.0875 3600 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2011/08/21 03:15:55.0390 3600 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/08/21 03:15:55.0953 3600 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/08/21 03:15:56.0437 3600 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/08/21 03:15:56.0890 3600 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/08/21 03:15:57.0359 3600 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/08/21 03:15:57.0843 3600 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/08/21 03:15:58.0328 3600 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/08/21 03:15:58.0765 3600 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/08/21 03:15:59.0218 3600 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/08/21 03:15:59.0671 3600 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/08/21 03:16:00.0125 3600 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/08/21 03:16:00.0578 3600 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/21 03:16:01.0062 3600 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/08/21 03:16:01.0515 3600 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/08/21 03:16:01.0984 3600 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/08/21 03:16:02.0562 3600 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/21 03:16:03.0062 3600 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/21 03:16:03.0843 3600 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/21 03:16:04.0234 3600 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/21 03:16:05.0062 3600 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/08/21 03:16:05.0875 3600 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/08/21 03:16:06.0328 3600 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/21 03:16:06.0781 3600 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/08/21 03:16:07.0218 3600 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/21 03:16:07.0687 3600 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/08/21 03:16:08.0078 3600 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/21 03:16:08.0578 3600 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/21 03:16:09.0125 3600 Cdrom (882b4257e5a5adfb6b5c03e8a02d4bf1) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/21 03:16:09.0968 3600 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/21 03:16:10.0359 3600 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/08/21 03:16:10.0765 3600 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/21 03:16:11.0234 3600 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/08/21 03:16:11.0781 3600 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/08/21 03:16:12.0343 3600 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/08/21 03:16:12.0812 3600 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/21 03:16:13.0703 3600 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/21 03:16:14.0703 3600 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/21 03:16:15.0234 3600 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/21 03:16:15.0671 3600 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/21 03:16:16.0187 3600 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/08/21 03:16:16.0640 3600 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/21 03:16:17.0093 3600 DXEC02 (0c8762b91b967a91373e0e022b62acfc) C:\WINDOWS\system32\drivers\dxec02.sys
2011/08/21 03:16:17.0671 3600 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/08/21 03:16:18.0234 3600 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/21 03:16:18.0812 3600 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/21 03:16:19.0265 3600 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/21 03:16:19.0656 3600 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/21 03:16:20.0156 3600 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/21 03:16:20.0687 3600 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/21 03:16:21.0187 3600 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/21 03:16:21.0718 3600 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/08/21 03:16:22.0125 3600 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/21 03:16:22.0703 3600 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/21 03:16:23.0109 3600 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/21 03:16:23.0500 3600 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/08/21 03:16:24.0078 3600 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/08/21 03:16:25.0296 3600 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/08/21 03:16:26.0484 3600 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/21 03:16:27.0031 3600 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/08/21 03:16:27.0453 3600 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/08/21 03:16:27.0906 3600 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/21 03:16:28.0500 3600 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2011/08/21 03:16:29.0125 3600 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/21 03:16:29.0609 3600 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/08/21 03:16:30.0046 3600 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/21 03:16:30.0453 3600 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/21 03:16:30.0921 3600 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/21 03:16:31.0406 3600 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/21 03:16:31.0859 3600 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/21 03:16:32.0375 3600 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/21 03:16:33.0296 3600 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/21 03:16:33.0781 3600 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/21 03:16:34.0265 3600 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/21 03:16:34.0859 3600 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/21 03:16:35.0437 3600 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/21 03:16:36.0375 3600 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/08/21 03:16:36.0812 3600 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/21 03:16:37.0203 3600 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/21 03:16:37.0609 3600 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/21 03:16:38.0000 3600 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/21 03:16:38.0390 3600 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/21 03:16:38.0781 3600 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/08/21 03:16:39.0312 3600 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/21 03:16:40.0156 3600 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/21 03:16:40.0875 3600 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/21 03:16:41.0343 3600 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/21 03:16:41.0718 3600 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/21 03:16:42.0109 3600 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/21 03:16:42.0484 3600 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/21 03:16:43.0031 3600 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/21 03:16:43.0703 3600 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/21 03:16:44.0296 3600 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/21 03:16:44.0750 3600 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/21 03:16:45.0250 3600 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/21 03:16:45.0828 3600 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/21 03:16:46.0312 3600 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/21 03:16:46.0875 3600 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/21 03:16:47.0468 3600 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/21 03:16:47.0921 3600 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/21 03:16:48.0750 3600 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/21 03:16:49.0546 3600 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/21 03:16:54.0046 3600 nv (e531eaa795a273fc70c9de3f195069c8) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/21 03:16:58.0468 3600 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/21 03:16:58.0875 3600 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/21 03:16:59.0296 3600 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/21 03:16:59.0828 3600 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys
2011/08/21 03:17:00.0265 3600 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/21 03:17:00.0750 3600 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/21 03:17:01.0187 3600 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/21 03:17:01.0703 3600 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/21 03:17:02.0609 3600 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/21 03:17:03.0109 3600 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/21 03:17:03.0703 3600 Pcouffin (cd2425fd848e5fa09c9a213da56817a9) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2011/08/21 03:17:05.0390 3600 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/08/21 03:17:05.0812 3600 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/08/21 03:17:06.0234 3600 Point32 (f754b09a839719575328f707693a919d) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/08/21 03:17:06.0671 3600 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/21 03:17:07.0187 3600 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/21 03:17:07.0734 3600 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/21 03:17:08.0203 3600 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/08/21 03:17:08.0640 3600 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/08/21 03:17:09.0109 3600 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/08/21 03:17:09.0531 3600 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/08/21 03:17:10.0000 3600 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/08/21 03:17:10.0468 3600 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/21 03:17:10.0953 3600 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/21 03:17:11.0468 3600 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/21 03:17:11.0953 3600 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/21 03:17:12.0531 3600 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/21 03:17:13.0078 3600 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/21 03:17:13.0609 3600 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/21 03:17:14.0250 3600 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/21 03:17:15.0156 3600 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/08/21 03:17:15.0546 3600 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/08/21 03:17:16.0000 3600 RIOUNIV (f772c4ba29f4117d15c66f63d010d9f0) C:\WINDOWS\system32\Drivers\RIOUNIV.sys
2011/08/21 03:17:16.0390 3600 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/08/21 03:17:16.0921 3600 sdbus (d3dc16b8d62d508a5c69c22b4e9871d1) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/08/21 03:17:17.0375 3600 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/21 03:17:17.0765 3600 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/21 03:17:18.0250 3600 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/21 03:17:18.0781 3600 sffdisk (2741c291e33d5ac6b3e79d84f197555d) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/08/21 03:17:19.0218 3600 sffp_sd (15ee034b33fce5650d8b2cdd46a62bbb) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/08/21 03:17:19.0687 3600 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/21 03:17:20.0546 3600 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/08/21 03:17:21.0000 3600 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/08/21 03:17:21.0437 3600 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/21 03:17:21.0890 3600 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/21 03:17:22.0515 3600 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/21 03:17:23.0937 3600 STHDA (58f855684e163466a5c565adf0865536) C:\WINDOWS\system32\drivers\sthda.sys
2011/08/21 03:17:24.0328 3600 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/21 03:17:24.0843 3600 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/21 03:17:25.0250 3600 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/08/21 03:17:25.0640 3600 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/08/21 03:17:25.0875 3600 SymEvent (9c4737086dee2d302d5d2d69478f6611) C:\Program Files\Symantec\SYMEVENT.SYS
2011/08/21 03:17:26.0421 3600 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/08/21 03:17:26.0812 3600 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/08/21 03:17:27.0328 3600 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/08/21 03:17:27.0890 3600 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/21 03:17:28.0562 3600 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/21 03:17:29.0187 3600 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/21 03:17:29.0656 3600 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/21 03:17:30.0093 3600 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/21 03:17:30.0531 3600 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/08/21 03:17:31.0015 3600 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/21 03:17:31.0531 3600 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/08/21 03:17:32.0109 3600 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/21 03:17:32.0765 3600 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/21 03:17:33.0171 3600 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/21 03:17:33.0671 3600 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/21 03:17:34.0218 3600 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/21 03:17:34.0796 3600 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/21 03:17:35.0203 3600 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/21 03:17:35.0578 3600 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/21 03:17:36.0031 3600 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/08/21 03:17:36.0437 3600 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/08/21 03:17:36.0828 3600 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/08/21 03:17:37.0312 3600 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/21 03:17:37.0734 3600 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/21 03:17:38.0578 3600 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/21 03:17:39.0546 3600 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/08/21 03:17:40.0421 3600 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/08/21 03:17:40.0671 3600 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/21 03:17:41.0046 3600 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR4
2011/08/21 03:17:41.0062 3600 Boot (0x1200) (af51cc17e9ea309ca5bc543d5d16f20a) \Device\Harddisk0\DR0\Partition0
2011/08/21 03:17:41.0078 3600 Boot (0x1200) (2ccd7f4c1cebc88cc16690560d11601a) \Device\Harddisk1\DR4\Partition0
2011/08/21 03:17:41.0093 3600 ================================================================================
2011/08/21 03:17:41.0093 3600 Scan finished
2011/08/21 03:17:41.0093 3600 ================================================================================
2011/08/21 03:17:41.0125 3592 Detected object count: 0
2011/08/21 03:17:41.0125 3592 Actual detected object count: 0



(((((((((((((((((((((((((((((((((((((((((((((((


All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Service tgsrvc_verizondm stopped successfully!
Service tgsrvc_verizondm deleted successfully!
Service sprtsvc_verizondm stopped successfully!
Service sprtsvc_verizondm deleted successfully!
Error: No service named 380014DB-5CCC-4339-A514AAAB6A3B43B8 was found to stop!
Service\Driver key 380014DB-5CCC-4339-A514AAAB6A3B43B8 not found.
Service SASDIFSV stopped successfully!
Service SASDIFSV deleted successfully!
Service SASKUTIL stopped successfully!
Service SASKUTIL deleted successfully!
========== OTL ==========
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk moved successfully.
C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe moved successfully.
C:\Documents and Settings\steve\Start Menu\Programs\Startup\Shortcut to SDMain.lnk moved successfully.
C:\Program Files\Spybot - Search & Destroy\SDMain.exe moved successfully.
tghpunaf removed from NetSvcs value successfully!
========== FILES ==========
File C:\WINDOWS\system32\drivers\tcpip.sys successfully replaced with C:\i386\tcpip.sys
File C:\WINDOWS\system32\drivers\termdd.sys successfully replaced with C:\i386\termdd.sys
c:\documents and settings\All Users\Application Data\pL15401GdHlG15401 folder moved successfully.
File\Folder c:\windows\TEMP\1DB.tmp not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 3089 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 604 bytes

User: steve
->Temp folder emptied: 11464093 bytes
->Temporary Internet Files folder emptied: 327706 bytes
->Java cache emptied: 2715 bytes
->FireFox cache emptied: 172315197 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1916152 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 70958 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 178.00 mb


OTL by OldTimer - Version 3.2.26.5 log created on 08212011_030527

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 9 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 8 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 7 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 6 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 5 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 4 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 3 for tdsskiller.zip\TDSSKiller.exe not found!
File\Folder C:\Documents and Settings\steve\Local Settings\Temp\Temporary Directory 10 for tdsskiller.zip\TDSSKiller.exe not found!

Registry entries deleted on Reboot...

_________________________________________________________



Keep in mind this one didn't have the latest update, but here it is anyways...





aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-21 01:17:45
-----------------------------
01:17:45.515 OS Version: Windows 5.1.2600 Service Pack 2
01:17:45.515 Number of processors: 2 586 0xF0D
01:17:45.515 ComputerName: D6YKGDD1 UserName: steve
01:17:49.515 Initialize success
01:18:01.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
01:18:01.953 Disk 0 Vendor: ST9120822AS 3.CDD Size: 114473MB BusType: 3
01:18:02.046 Disk 0 MBR read successfully
01:18:02.046 Disk 0 MBR scan
01:18:02.046 Disk 0 Windows XP default MBR code
01:18:02.078 Disk 0 scanning sectors +234436545
01:18:02.296 Disk 0 scanning C:\WINDOWS\system32\drivers
01:18:23.171 Service scanning
01:18:27.453 Modules scanning
01:18:52.890 Disk 0 trace - called modules:
01:18:52.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
01:18:52.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867c9ab8]
01:18:52.984 3 CLASSPNP.SYS[f765305b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86779940]
01:18:52.984 Scan finished successfully
01:19:30.734 Disk 0 MBR has been saved successfully to "F:\geekstogo\MBR.dat"
01:19:30.734 The log file has been saved successfully to "F:\geekstogo\aswMBR.txt"
  • 0

#27
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
on the first pass and it claimed it couldn't find it. Probably something to do with the way this thing hides stuff. See if you can create a file in notepad (just type anything like "junk" in the text) and save it to C:\Documents and Settings\All Users\Application Data\ as "pL15401GdHlG15401" OK

(Can't have a file and a folder with the same name)



It let me do it. But I noticed something. Can't believe I didn't see this.

At some point, all these folders became hidden. Like that one. How do I turn them back on again in XP? "Folder options" somewhere isn't it?
  • 0

#28
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I figured out how to turn hidden folders back on.


No doubt I still have this rootkit because:


1.)It is still denying me access to many programs, like Spybot.

2.) Denying me access to the Windows Firewall/ ICS or whatever.

Is this indicative of the "tripwire" they were talking about?
  • 0

#29
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Download, Save and Right click on unhide.exe and Run

http://download.blee...nler/unhide.exe

It will unhide things.

Since this thing lives in the MBR we need the Restore Console.

Download: http://www.microsoft...&displaylang=en

Save it to the desktop. (Combofix should also be on the desktop and not in a folder)

Drag the downloaded file over to Combofix and let go. Combofix should install the Recovery Console. It will ask your permission so please say Yes.


see if you can get into the Recovery Console. Start, Settings, Control Panel, System, Advanced, Startup and Recovery -Settings, and change the Time to Display the List of Operating Systems from two to 10 seconds. OK

Now Reboot. When it gives you a choice between your regular XP and the Recovery Console, hit the down arrow to select the Recovery Console then Enter. You should get a black screen with a C:\> prompt. Type with an Enter after each line:

map

(This one is supposed to show you all the partitions on your drive. ZeroAccess is supposed to make a hidden partition. Do you see anything besides your C: and F: drives and maybe your CD/DVD?)

exit

We could run fixmbr from the recovery console but I prefer to do it from a bootable CD so that if it kills it we can put the old one back. Get Hiren's Boot CD.

http://www.hirensbootcd.org/download/

It's a zip file so you need to right click on it and Extract All. There should be a .iso file which is what you want.

http://www.hirensbootcd.org/burning/

I usually use freeisoburner
http://www.freeisoburner.com/
to make the bootable CD.

Once you have the CD you can even put it on a USB drive.

http://www.hiren.inf...tcd-on-usb-disk

Or boot from it directly.

There should be a menu. Chose the MBR Tools.

Now choose MbrFix 1.3

Type:

MbrFix /drive 0 savembr Backup_MBR_0.bin

(This will save the current MBR in case something awful happens.

If that happens then you just run it again and do:
MbrFix /drive 0 restorembr Backup_MBR_0.bin)

(To use the standard MBR we type:)

MbrFix /drive 0 fixmbr /yes

(Then reboot.)

Ron
  • 0

#30
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Hello Ron,

Nice to see you back, and thanks again for your help.

Wow, makes a new partition. This is some virus.

I can do the unhide thing, but the next step presents a problem. When you go to the Microsoft site, (passed experience has taught me that any time you go there you are asking for trouble), I see that it wants to make floppy discs....

"NOTE: The installation program will prompt you to provide formatted, 1.44MB floppy disks onto which the installation program will copy its files."

That is a problem. Neither of these two machines, the infected one or the one I am using to fix it- have a floppy drive. In fact, now that I think of it, I don't think I've even seen a floppy disk in years.

I understand that they are doing here- they are afraid of people pirating their wonderful OS and all, but not sure what I should do here?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP