Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SID:23621 System Infected Tidserv Activity Detected [Solved]

Started by knarf1 , Jan 25 2012 12:12 AM

  • This topic is locked This topic is locked

#16
knarf1
Posted 26 January 2012 - 09:06 AM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I ran Combofix again. This time no crash. It ran for over half an hour. I got a message that it had stopped running. I clicked to fix the probelm and resume. Then I got a message that said that rootkit activity was found and that the computer would have to reboot. I rebooted--with no report found. But there is a big combofix file filled with a lot of stuff.

My Symantec Endpoint Protection is screwed up. I keep following the directions to disable. All seems disabled, but the third of the three technologies keep popping back on.

I did the scan in safe mode.
  • 0

Advertisements

#17
Homburg
Posted 26 January 2012 - 09:30 AM

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

Sometimes ComboFix will need to be run twice to remove stubborn rootkits. Can you please run it again. Preferably in safe mode with networking.

Then run aswMBR again as in my first post and post the log.

Thanks.
  • 0

#18
knarf1
Posted 26 January 2012 - 09:51 AM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
The McAfee was old, and i have uninstalled it.

I have tried to run Combofix three times since my last message (always in safe mode). Same thing. I make sure Symantiec if off. It says the Symantec is on. I run Combofix anyway. It says rootkit activity is detected--needs to reboot computer. At reboot I have nothing.

Do I need to uninstall Symantec?
  • 0

#19
knarf1
Posted 26 January 2012 - 10:21 AM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I have run Combofix a fourth and fifth time.

New message-says I'm infected with rootkit.zeroaccess--which has inserted itself into the tcp/ip stack--particularly difficult infection.

Then says it needs to reboot--and nothing at startup.

Run it some more?
  • 0

#20
knarf1
Posted 26 January 2012 - 10:41 AM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
6th and 7th run--same thing.
  • 0

#21
knarf1
Posted 26 January 2012 - 11:58 AM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
10th try with Symantec uninstalled was the charm:


ComboFix 12-01-26.01 - msuman 01/26/2012 9:33.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2012.837 [GMT -8:00]
Running from: c:\users\msuman\Downloads\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\msuman\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\.url
c:\users\msuman\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.dll
c:\users\msuman\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.tmp
c:\users\msuman\Documents\~WRL3513.tmp
c:\windows\$NtUninstallKB40719$
F:\Autorun.inf
G:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
.
.
2012-01-26 17:43 . 2012-01-26 17:46 -------- d-----w- c:\users\msuman\AppData\Local\temp
2012-01-26 17:43 . 2012-01-26 17:43 -------- d-----w- c:\users\McAfeeMVSUser\AppData\Local\temp
2012-01-26 17:43 . 2012-01-26 17:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-26 17:13 . 2012-01-26 17:13 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-26 03:18 . 2012-01-26 03:18 -------- d-----w- C:\_OTL
2012-01-26 03:11 . 2012-01-26 03:18 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-23 02:08 . 2012-01-23 02:08 99840 ----a-w- c:\users\msuman\AppData\Roaming\Microsoft\E20C\10D6.tmp
2012-01-23 02:08 . 2012-01-23 02:08 -------- d-----w- c:\users\msuman\AppData\Roaming\E594A
2012-01-23 02:08 . 2012-01-23 02:08 -------- d-----w- c:\users\msuman\AppData\Roaming\C4EE5
2012-01-23 02:08 . 2012-01-23 02:08 -------- d-----w- c:\users\msuman\AppData\Local\SanctionedMedia
2012-01-20 14:16 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{92A66201-376C-4C12-A529-075A46850789}\mpengine.dll
2012-01-13 01:32 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-13 01:32 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-12 02:40 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-12 02:40 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-12 02:39 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-12 02:39 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-12 02:38 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-12 02:38 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 20:04 . 2012-01-11 20:04 -------- d-----w- c:\program files\CCleaner
2012-01-11 18:47 . 2012-01-11 18:47 -------- d-----w- c:\users\msuman\AppData\Roaming\Malwarebytes
2012-01-11 18:47 . 2012-01-11 18:47 -------- d-----w- c:\programdata\Malwarebytes
2012-01-11 18:47 . 2012-01-11 18:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-11 18:47 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-11 17:33 . 2012-01-26 17:13 -------- d-----w- C:\sh4ldr
2012-01-11 17:33 . 2012-01-11 17:33 -------- d-----w- c:\program files\Enigma Software Group
2012-01-11 17:33 . 2012-01-11 17:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-01-05 04:37 . 2012-01-05 04:37 -------- d-----w- c:\program files\iPod
2012-01-05 04:37 . 2012-01-08 01:18 -------- d-----w- c:\program files\iTunes
2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 16:22 . 2012-01-03 16:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-26 05:52 . 2009-10-21 01:40 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-04 14:37 . 2011-05-16 00:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-15 05:34 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29 . 2009-10-03 14:52 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54 . 2011-01-30 20:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-08 14:42 . 2011-12-15 05:33 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-15 11:02 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-15 11:02 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-15 11:02 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-15 11:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-29 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-21 30192]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-11-05 273528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-07-20 22:45 182808 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-08-19 06:19 6265376 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-08-19 81920]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 01:18]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 01:18]
.
2012-01-05 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
2012-01-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1740862935-1246708322-3228964381-1001.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 20:40]
.
2012-01-26 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\msuman\AppData\Roaming\Mozilla\Firefox\Profiles\huiexf3r.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKU-Default-RunOnce-AutoLaunch - c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,eb,10,7d,de,e1,57,48,b6,1e,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,eb,10,7d,de,e1,57,48,b6,1e,d1,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-01-26 09:52:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-26 17:52
.
Pre-Run: 131,125,874,688 bytes free
Post-Run: 130,875,305,984 bytes free
.
- - End Of File - - B34E904ECEE8C1D53C70FF53270A2207
  • 0

#22
knarf1
Posted 26 January 2012 - 12:15 PM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Vostro 220 Series
Logical Drives Mask: 0x0000007c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`83700000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`03700000 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00100000 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
2794 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...
  • 0

#23
knarf1
Posted 26 January 2012 - 12:17 PM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thanks for your patience with me.
Is that what you needed?
  • 0

#24
knarf1
Posted 26 January 2012 - 12:38 PM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
...and wondering why it says "Symantec Endpoint Protection *Enabled" after I uninstalled it.

hmmm

Edited by knarf1, 26 January 2012 - 12:38 PM.

  • 0

#25
Homburg
Posted 26 January 2012 - 12:50 PM

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

Quite often Norton/Symantec requires removing with an uninstall tool to remove it all but as we got the Combofix log we can leave it like that for now.

It looks like you are running two AntiVirus programs. Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time. Now that you have uninstalled Symantec you might want to just leave Lavasoft or when we've finished remove that and reinstall Symantec. :thumbsup:

Please do the following:

Step 1:

Open OTL again.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

    /md5start
    netbt.sys
    consrv.dll
    /md5stop
    c:\users\msuman\AppData\Roaming\E594A\*.* /s
    c:\users\msuman\AppData\Roaming\C4EE5\*.* /s
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window. OTL.Txt This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file, and post it in your topic


Step 2:

Run another aswMBR scan

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

Advertisements

#26
knarf1
Posted 26 January 2012 - 01:15 PM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OTL logfile created on: 1/26/2012 11:07:30 AM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\msuman\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 52.22% Memory free
4.16 Gb Paging File | 3.10 Gb Available in Paging File | 74.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.78 Gb Total Space | 121.90 Gb Free Space | 54.72% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.74 Gb Free Space | 57.43% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 2794.52 Gb Total Space | 2367.15 Gb Free Space | 84.71% Space Free | Partition Type: NTFS
Drive G: | 931.51 Gb Total Space | 380.13 Gb Free Space | 40.81% Space Free | Partition Type: NTFS

Computer Name: MSUMAN-PC | User Name: msuman | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/25 06:20:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\msuman\Downloads\OTL.exe
PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/11/04 19:48:26 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/10/19 08:31:51 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe
PRC - [2009/04/10 22:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/08/18 22:19:38 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2008/07/20 14:45:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe


========== Modules (No Company Name) ==========

MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/08/18 22:19:38 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2008/07/20 14:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2008/12/23 03:47:52 | 000,138,240 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/08/26 09:55:14 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/08/18 23:03:28 | 000,079,960 | ---- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\jraid.sys -- (JRAID)
DRV - [2008/06/10 12:04:26 | 000,033,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2008/01/20 18:32:51 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/01 23:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 59273

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/11 08:30:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/04 13:22:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/21 21:08:54 | 000,000,000 | ---D | M]

[2011/01/14 18:40:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\msuman\AppData\Roaming\Mozilla\Extensions
[2012/01/26 05:50:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\msuman\AppData\Roaming\Mozilla\Firefox\Profiles\huiexf3r.default\extensions
[2011/02/24 16:46:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\msuman\AppData\Roaming\Mozilla\Firefox\Profiles\huiexf3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/26 05:50:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/30 12:48:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/21 03:02:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2012/01/26 05:23:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2012/01/11 08:30:28 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks™ Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\msuman\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.3_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\msuman\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

O1 HOSTS File: ([2012/01/26 09:45:59 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9EF48691-42FF-4A13-8013-5A1CC8DE2354}: DhcpNameServer = 192.168.1.254
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\msuman\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\msuman\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/03/22 17:13:38 | 000,000,000 | R--D | M] - F:\autorun -- [ NTFS ]
O32 - AutoRun File - [2010/07/09 19:48:54 | 000,000,000 | R--D | M] - G:\autorun -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/01/26 10:05:32 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/01/26 09:46:01 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/01/26 09:43:53 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\temp
[2012/01/26 09:25:01 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/01/26 09:09:18 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/01/25 21:01:04 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/25 21:01:04 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/25 21:01:04 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/25 21:00:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/25 20:57:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/25 19:18:51 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/25 19:11:12 | 000,000,000 | ---D | C] -- C:\Users\msuman\Desktop\RK_Quarantine
[2012/01/23 07:49:56 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/01/22 18:08:40 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Roaming\E594A
[2012/01/22 18:08:29 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Roaming\C4EE5
[2012/01/22 18:08:22 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\SanctionedMedia
[2012/01/11 12:04:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/01/11 12:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/01/11 10:47:30 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Roaming\Malwarebytes
[2012/01/11 10:47:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/11 10:47:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/11 10:47:19 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/11 10:47:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/11 09:33:37 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/01/11 09:33:37 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/01/11 09:33:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012/01/11 09:16:34 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012/01/04 20:38:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/01/04 20:37:49 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/01/04 20:37:40 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\msuman\*.tmp files -> C:\Users\msuman\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/26 10:26:05 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/26 10:06:34 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/26 10:05:35 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/26 10:05:35 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/26 10:05:33 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2012/01/26 10:05:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/26 10:05:03 | 2110,771,200 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/26 09:45:59 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/26 08:48:16 | 000,001,356 | ---- | M] () -- C:\Users\msuman\AppData\Local\d3d9caps.dat
[2012/01/26 05:52:23 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-1740862935-1246708322-3228964381-1001.job
[2012/01/25 21:19:25 | 328,977,436 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/25 20:40:57 | 000,000,054 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/01/25 20:40:57 | 000,000,039 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/01/25 19:18:55 | 000,111,872 | ---- | M] () -- C:\Windows\System32\drivers\TrueSight.sys
[2012/01/25 07:07:35 | 000,000,512 | ---- | M] () -- C:\Users\msuman\Desktop\MBR.dat
[2012/01/25 06:29:13 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/01/24 20:04:26 | 000,030,735 | ---- | M] () -- C:\Users\msuman\Documents\malwarebytes BKD-7362011316.pdf
[2012/01/21 21:43:30 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/21 21:43:30 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/21 21:08:55 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2012/01/13 19:51:19 | 000,000,907 | ---- | M] () -- C:\Users\msuman\Application Data\Microsoft\Internet Explorer\Quick Launch\circles Asuka Kimishima 002 - Shortcut.lnk
[2012/01/11 12:04:22 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/01/11 10:48:40 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/05 04:45:23 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012/01/04 20:38:59 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\msuman\*.tmp files -> C:\Users\msuman\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/26 08:54:41 | 2110,771,200 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/26 05:52:23 | 000,000,288 | ---- | C] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-1740862935-1246708322-3228964381-1001.job
[2012/01/25 21:19:25 | 328,977,436 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/01/25 21:01:04 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/25 21:01:04 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/25 21:01:04 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/25 21:01:04 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/25 21:01:04 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/25 19:11:15 | 000,111,872 | ---- | C] () -- C:\Windows\System32\drivers\TrueSight.sys
[2012/01/25 07:07:35 | 000,000,512 | ---- | C] () -- C:\Users\msuman\Desktop\MBR.dat
[2012/01/24 20:04:25 | 000,030,735 | ---- | C] () -- C:\Users\msuman\Documents\malwarebytes BKD-7362011316.pdf
[2012/01/21 21:08:55 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2012/01/21 21:08:54 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2012/01/13 19:51:19 | 000,000,907 | ---- | C] () -- C:\Users\msuman\Application Data\Microsoft\Internet Explorer\Quick Launch\circles Asuka Kimishima 002 - Shortcut.lnk
[2012/01/11 12:04:22 | 000,000,806 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/01/11 10:48:40 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/04 20:38:59 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/03/24 15:51:28 | 000,000,054 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011/03/24 15:51:28 | 000,000,039 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/01/16 14:34:45 | 000,000,050 | ---- | C] () -- C:\Windows\MegaManager.INI
[2011/01/06 17:10:30 | 000,000,011 | ---- | C] () -- C:\Windows\VSWizard.ini
[2010/09/22 16:01:43 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2010/08/25 19:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 19:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 19:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 18:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2009/10/20 17:40:38 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/10/20 17:40:38 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/02/16 14:01:04 | 000,061,678 | ---- | C] () -- C:\Users\msuman\AppData\Roaming\PFP100JPR.{PB
[2009/02/16 14:01:04 | 000,012,358 | ---- | C] () -- C:\Users\msuman\AppData\Roaming\PFP100JCM.{PB
[2009/02/13 20:48:41 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/06 09:53:44 | 000,017,920 | ---- | C] () -- C:\Users\msuman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/05 18:39:21 | 000,001,356 | ---- | C] () -- C:\Users\msuman\AppData\Local\d3d9caps.dat
[2009/01/29 00:08:29 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1545.dll
[2009/01/29 00:08:29 | 000,147,172 | ---- | C] () -- C:\Windows\System32\igfcg550.bin
[2009/01/29 00:08:29 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2009/01/29 00:06:08 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/02/03 15:37:35 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 04:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:44:53 | 000,330,200 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 02:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 02:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 02:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 02:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 02:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 02:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 00:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/01 23:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2012/01/22 18:08:29 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\C4EE5
[2012/01/22 18:08:40 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\E594A
[2011/05/24 19:38:00 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\PCDr
[2009/08/23 10:36:56 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\Uniblue
[2010/02/25 15:12:11 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\uTorrent
[2010/11/27 13:17:24 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\WhiteSmokeSetup
[2010/11/27 15:04:11 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\WhiteSmokeTranslator
[2012/01/05 04:45:23 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2012/01/26 10:03:54 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/01/26 10:05:33 | 000,000,506 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: NETBT.SYS >
[2008/01/20 18:34:49 | 000,184,320 | ---- | M] (Microsoft Corporation) MD5=7C5FEE5B1C5728507CD96FB4A13E7A02 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
[2012/01/25 21:52:44 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=ECD64230A59CBD93C85F1CD1CAB9F3F6 -- C:\Windows\System32\drivers\netbt.sys
[2012/01/25 21:52:44 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=ECD64230A59CBD93C85F1CD1CAB9F3F6 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys

< c:\users\msuman\AppData\Roaming\E594A\*.* /s >

< c:\users\msuman\AppData\Roaming\C4EE5\*.* /s >
[2012/01/24 03:27:55 | 000,011,125 | ---- | M] () -- c:\users\msuman\AppData\Roaming\C4EE5\594A.4EE

========== Alternate Data Streams ==========

@Alternate Data Stream - 641 bytes -> C:\Users\msuman\Documents\bookmarks.eml:OECustomProperty

< End of report >
  • 0

#27
knarf1
Posted 26 January 2012 - 01:18 PM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
aswMBR version 0.9.9.1509 Copyright© 2011 AVAST Software
Run date: 2012-01-25 07:05:31
-----------------------------
07:05:31.717 OS Version: Windows 6.0.6002 Service Pack 2
07:05:31.717 Number of processors: 2 586 0x1706
07:05:31.717 ComputerName: MSUMAN-PC UserName: msuman
07:05:34.213 Initialize success
07:06:16.711 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:06:16.711 Disk 0 Vendor: ST325031 4.AD Size: 238418MB BusType: 3
07:06:16.742 Disk 0 MBR read successfully
07:06:16.742 Disk 0 MBR scan
07:06:16.742 Disk 0 Windows VISTA default MBR code
07:06:16.742 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
07:06:16.758 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
07:06:16.773 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228122 MB offset 21084160
07:06:16.789 Disk 0 scanning sectors +488278016
07:06:16.867 Disk 0 scanning C:\Windows\system32\drivers
07:06:25.057 Service scanning
07:06:26.071 Service SysPlant C:\Windows\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
07:06:26.086 Service Teefer2 C:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
07:06:26.133 Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
07:06:26.648 Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
07:06:27.163 Modules scanning
07:06:32.701 Module: C:\Windows\System32\DRIVERS\netbt.sys **SUSPICIOUS**
07:06:36.304 Disk 0 trace - called modules:
07:06:36.336 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x879eeff0]<<
07:06:36.336 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8614f888]
07:06:36.351 3 CLASSPNP.SYS[883a98b3] -> nt!IofCallDriver -> [0x879bc998]
07:06:36.351 \Driver\00001247[0x879bcad0] -> IRP_MJ_CREATE -> 0x879eeff0
07:06:36.367 Scan finished successfully
07:07:35.647 Disk 0 MBR has been saved successfully to "C:\Users\msuman\Desktop\MBR.dat"
07:07:35.928 The log file has been saved successfully to "C:\Users\msuman\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1509 Copyright© 2011 AVAST Software
Run date: 2012-01-26 11:15:54
-----------------------------
11:15:54.793 OS Version: Windows 6.0.6002 Service Pack 2
11:15:54.793 Number of processors: 2 586 0x1706
11:15:54.793 ComputerName: MSUMAN-PC UserName: msuman
11:15:55.682 Initialize success
11:15:59.369 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:15:59.369 Disk 0 Vendor: ST325031 4.AD Size: 238418MB BusType: 3
11:15:59.400 Disk 0 MBR read successfully
11:15:59.400 Disk 0 MBR scan
11:15:59.400 Disk 0 Windows VISTA default MBR code
11:15:59.415 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
11:15:59.447 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
11:15:59.462 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228122 MB offset 21084160
11:15:59.478 Disk 0 scanning sectors +488278016
11:15:59.540 Disk 0 scanning C:\Windows\system32\drivers
11:16:08.307 Service scanning
11:16:09.649 Modules scanning
11:16:15.920 Disk 0 trace - called modules:
11:16:15.951 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
11:16:15.951 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x858eaac8]
11:16:15.967 3 CLASSPNP.SYS[883a98b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84d9e028]
11:16:15.967 Scan finished successfully
11:16:33.065 Disk 0 MBR has been saved successfully to "C:\Users\msuman\Desktop\MBR.dat"
11:16:33.080 The log file has been saved successfully to "C:\Users\msuman\Desktop\aswMBR.txt"
  • 0

#28
Homburg
Posted 26 January 2012 - 05:43 PM

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hello,

That's looking better.

What are you going to do about an AntiVirus? If you've paid for Symantec then you could reinstall that or I could recommend a free one. Remember, you can only use one.

I'd like you to do one more scan, this will probably take some time. If it doesn't find anything then it won't produce a log.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#29
knarf1
Posted 26 January 2012 - 06:04 PM

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I will be home in 45 minutes to run it.

I can get Symantec antivirus from my university for free. They have a new version, too. They also have "CleanWipe 5," which they say can clean up remnants of the old Symantec. Sound OK?

That Lavasoft. It is disabled, right? I have uninstalled it, but guess it is still there. When I look for uninstall info, what is instructed I have already done.


Continued gratitude...
  • 0

#30
Homburg
Posted 26 January 2012 - 06:23 PM

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}

This is from the header of the ComboFix log, so Lavasoft is disabled but not uninstalled unless you've uninstalled it following the ComboFix run :)

Sounds like the best option would be to use the CleanWipe5 to fully remove the Symantec and then reinstall if you can get it free.

After you've done the online scan in my previous post you can try to remove Lavasoft and maybe any MacAfee remnants with this next utility:



Download AppRemover and run it.

Click Next >>
Posted Image


Ensure "Remove Security Application" is selected and click Next >>
Posted Image


AppRemover will scan all the security applications on your PC
Posted Image

Select Any Lavasoft and MacAfee entries from the applications offered and click Next >> twice.
Posted Image

Follow any further on-screen instructions. If asked to reboot,please do so.

Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP