Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32:Crypt-MSA Trojan disabled internet access [Solved]

Started by Jan1959 , May 10 2012 02:03 AM

This topic is locked

#16
Jan1959

Posted 11 May 2012 - 01:18 PM

Member

Topic Starter
Member
255 posts

I can't find the C:\_OTL\MovedFiles anywhere. When I go onto the C drive it says that all the files are hidden.

There is a reset file appeared on my memory stick so I will post that in case it@s relevant.

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{864EE082-8801-4DA6-9C62-9DDCB46AE000}\NetbiosOptions
added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{8814F931-AC3A-428D-889F-6D5AE0FFBB8F}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1470F5C8-126D-4C33-8225-279835823DBC}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1470F5C8-126D-4C33-8225-279835823DBC}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1470F5C8-126D-4C33-8225-279835823DBC}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1470F5C8-126D-4C33-8225-279835823DBC}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1470F5C8-126D-4C33-8225-279835823DBC}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C2B14E2E-6817-4350-A24C-D77950F6A361}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C2B14E2E-6817-4350-A24C-D77950F6A361}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C2B14E2E-6817-4350-A24C-D77950F6A361}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C2B14E2E-6817-4350-A24C-D77950F6A361}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C2B14E2E-6817-4350-A24C-D77950F6A361}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\UpperBind for PCI\VEN_1814&DEV_0301&SUBSYS_700E1799&REV_00\4&1AF1648C&0&28F0. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_8086&DEV_27DC&SUBSYS_2A22103C&REV_01\4&1AF1648C&0&40F0. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
PSched

reset Linkage\UpperBind for PCI\VEN_10EC&DEV_8139&SUBSYS_577C1462&REV_10\4&1A671D0C&0&60F0. bad value was:
REG_MULTI_SZ =
PSched

<completed>

#17
maliprog

Posted 11 May 2012 - 01:20 PM

Trusted Helper

Malware Removal
6,172 posts

Please post me FSS log again. This is only half of log posted. I need to see whole log.

#18
Jan1959

Posted 11 May 2012 - 01:28 PM

Member

Topic Starter
Member
255 posts

I thought that it was short but that's all I got. I will run it again

#19
Jan1959

Posted 11 May 2012 - 01:35 PM

Member

Topic Starter
Member
255 posts

There seems to be more this time!

Farbar Service Scanner Version: 11-05-2012
Ran by Jan (administrator) on 11-05-2012 at 20:33:29
Running from "F:\"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 13:00] - [2008-04-13 20:21] - 0162816 ____A () 8FE4D1777E1E2B9118B5B92755FCA71C

ATTENTION!=====> C:\WINDOWS\system32\Drivers\netbt.sys IS INFECTED AND SHOULD BE REPLACED.

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000800000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

#20
maliprog

Posted 11 May 2012 - 01:40 PM

Trusted Helper

Malware Removal
6,172 posts

OK. This is it!

Start FSS again. In Search box copy and past this:

netbt.sys
ipsec.sys

Press Search Files button. Post log after the scan please.

#21
Jan1959

Posted 11 May 2012 - 11:46 PM

Member

Topic Starter
Member
255 posts

I ran this twice in case I got it wrong!

Farbar Service Scanner Version: 11-05-2012
Ran by Jan (administrator) on 12-05-2012 at 06:39:21
Microsoft Windows XP Home Edition Service Pack 3 (X86)

************************************************
======== Search: "netbt.sysipsec.sys" =========

====== End Of Search ======

Sorry but I won't be able to do any more today as I am out on an appointment that I can't cancel.
If you post further instructions, I will carry one first thing tomorrow morning.
Thanks for all your help so far

#22
maliprog

Posted 12 May 2012 - 09:32 AM

Trusted Helper

Malware Removal
6,172 posts

Please do last step one more time. Note that you made misteke and you wrote two file names like this netbt.sysipsec.sys.

You must write fist file and press Enter then write another one. There should be two file names in two rows like this:

netbt.sys
ipsec.sys

#23
Jan1959

Posted 12 May 2012 - 04:17 PM

Member

Topic Starter
Member
255 posts

Hi Maliprog,

I have now done this for the 3rd time and I am still getting the same log.

I have typed it in on separate lines pressing enter in between and I have tried just copying and pasting.

Please advise

Farbar Service Scanner Version: 11-05-2012
Ran by Jan (administrator) on 12-05-2012 at 23:11:48
Microsoft Windows XP Home Edition Service Pack 3 (X86)

************************************************
======== Search: "netbt.sysipsec.sys" =========

====== End Of Search ======

#24
maliprog

Posted 13 May 2012 - 09:31 AM

Trusted Helper

Malware Removal
6,172 posts

It's OK. For some reason FSS search doesn't work on your machine. We will try to use OTL to find these files.

Run OTL again

Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

/md5start
netbt.*
ipsec.*
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it here to me

#25
Jan1959

Posted 13 May 2012 - 12:56 PM

Member

Topic Starter
Member
255 posts

Here we go

OTL logfile created on: 13/05/2012 19:49:32 - Run 3
OTL by OldTimer - Version 3.2.42.3 Folder = F:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.45 Gb Available Physical Memory | 81.62% Memory free
4.84 Gb Paging File | 4.45 Gb Available in Paging File | 91.95% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 180.30 Gb Total Space | 117.17 Gb Free Space | 64.99% Space Free | Partition Type: NTFS
Drive D: | 5.99 Gb Total Space | 2.09 Gb Free Space | 34.97% Space Free | Partition Type: FAT32
Drive F: | 7.31 Gb Total Space | 7.30 Gb Free Space | 99.93% Space Free | Partition Type: FAT32
Drive J: | 149.04 Gb Total Space | 145.23 Gb Free Space | 97.44% Space Free | Partition Type: NTFS

Computer Name: ADAM-447023DY6B | User Name: Jan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/10 08:24:04 | 000,595,456 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2012/03/11 14:48:36 | 001,652,536 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/03/11 14:48:36 | 000,931,640 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2012/03/07 00:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/07 00:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/06/28 14:58:32 | 002,345,984 | ---- | M] (Koninklijke Philips Electronics N.V.) -- C:\Program Files\Philips\Wi-Fi MediaConnect\Wi-Fi MediaConnect.exe
PRC - [2010/06/21 11:14:30 | 000,308,736 | ---- | M] () -- C:\Program Files\Philips\Wi-Fi MediaConnect\HTSRecover.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/18 08:54:02 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/12/27 23:39:40 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\system32\UAService7.exe
PRC - [2007/01/04 22:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

========== Modules (No Company Name) ==========

MOD - [2012/05/09 09:35:39 | 001,756,160 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12050900\algo.dll
MOD - [2012/03/11 14:50:38 | 000,516,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll
MOD - [2011/11/10 17:11:00 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2010/06/21 11:14:30 | 000,308,736 | ---- | M] () -- C:\Program Files\Philips\Wi-Fi MediaConnect\HTSRecover.exe

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/05/04 21:08:09 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/11 14:48:36 | 000,931,640 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/03/07 00:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/06/13 22:09:22 | 000,267,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe -- (MatSvc)
SRV - [2007/12/27 23:39:40 | 000,122,880 | ---- | M] (Sony DADC Austria AG.) [Auto | Running] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)
SRV - [2007/01/04 22:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\sony_ssm.sys -- (sony_ssm.sys)
DRV - File not found [Kernel | System | Stopped] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS -- (SASKUTIL)
DRV - File not found [Kernel | System | Stopped] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS -- (SASDIFSV)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\gkmixern.sys -- (gkmixern)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS -- (DNINDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Jan\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys -- (cpuz134)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Jan\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/03/11 14:50:38 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys -- (RapportIaso)
DRV - [2012/03/11 14:48:52 | 000,071,440 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/03/11 14:48:50 | 000,056,208 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/03/07 00:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/07 00:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/07 00:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/07 00:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/07 00:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/03/07 00:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/03/06 23:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/12/15 20:11:33 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2010/02/08 11:45:06 | 000,019,328 | ---- | M] (WiFi Media Connect) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wfmcvad.sys -- (WFMC_VAD) WFMC Virtual Audio Device (WDM)
DRV - [2009/12/18 13:13:23 | 000,278,984 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2009/12/18 13:09:55 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009/02/11 13:40:40 | 005,028,352 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/11/24 10:54:12 | 000,495,104 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2008/04/13 20:21:00 | 000,162,816 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2005/12/12 20:12:01 | 000,049,664 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfsync04.sys -- (sfsync04) StarForce Protection Synchronization Driver (version 4.x)
DRV - [2005/08/10 13:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/07/04 08:30:34 | 000,026,624 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/06/30 21:16:26 | 001,094,848 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/05/16 14:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004/08/04 05:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7GFRD_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.46: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/03/18 08:54:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/07 15:59:06 | 000,000,000 | ---D | M]

[2011/11/13 00:04:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/13 00:04:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2011/10/03 06:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: DNA Plug-in (Enabled) = C:\Program Files\DNA\plugins\npbtdna.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - Extension: YouTube = C:\Documents and Settings\Jan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\Jan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: avast! WebRep = C:\Documents and Settings\Jan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1426_0\
CHR - Extension: Gmail = C:\Documents and Settings\Jan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2012/05/10 18:10:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wi-Fi MediaConnect.lnk = C:\Program Files\Philips\Wi-Fi MediaConnect\Wi-Fi MediaConnect.exe (Koninklijke Philips Electronics N.V.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html File not found
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.co.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{030DB6D3-7B19-472F-B7FA-FBC2BE74A6F8}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F}: DhcpNameServer = 15.243.128.51 15.243.160.51
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/11/09 21:20:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/10 21:29:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/05/10 12:04:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/05/10 12:04:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/05/10 12:04:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/05/10 12:04:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/05/10 12:04:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/05/10 12:03:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/10 12:03:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jan\My Documents\My Videos
[2012/05/10 12:03:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/05/10 12:03:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jan\Start Menu\Programs\Administrative Tools
[2012/05/10 12:00:10 | 004,489,176 | R--- | C] (Swearware) -- C:\Documents and Settings\Jan\Desktop\ComboFix.exe
[2012/05/09 19:30:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan\Local Settings\Application Data\{F137954F-9A04-11E1-826E-B8AC6F996F26}
[2012/05/09 19:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F4D561A50025CDB5545820F3D151FC84
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/12 23:30:10 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/12 07:08:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/11 19:53:03 | 000,031,203 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2012/05/11 19:53:03 | 000,000,189 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2012/05/11 19:53:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/11 19:51:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/11 19:51:34 | 3219,636,224 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/10 18:10:16 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/10 11:58:02 | 004,489,176 | R--- | M] (Swearware) -- C:\Documents and Settings\Jan\Desktop\ComboFix.exe
[2012/05/09 19:56:36 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/06 17:26:01 | 000,000,083 | ---- | M] () -- C:\WINDOWS\wwp.INI
[2012/05/05 14:53:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/30 18:01:15 | 000,002,058 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/10 12:04:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/05/10 12:04:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/05/10 12:04:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/05/10 12:04:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/05/10 12:04:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/10 01:18:56 | 3219,636,224 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/09 19:56:36 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/25 13:43:02 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/02/15 08:06:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/30 20:40:28 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL
[2011/12/30 20:40:28 | 000,004,528 | ---- | C] () -- C:\WINDOWS\System32\SETBROWS.EXE
[2011/12/29 11:49:41 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2011/12/18 12:12:59 | 000,000,040 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2011/12/18 12:12:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2011/11/30 11:08:48 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\Jan\Application Data\wklnhst.dat
[2011/11/10 15:14:31 | 000,000,272 | ---- | C] () -- C:\WINDOWS\reimage.ini

========== LOP Check ==========

[2011/06/21 23:25:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2009/01/31 15:36:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2011/07/31 14:36:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2012/05/09 19:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D561A50025CDB5545820F3D151FC84
[2011/07/23 06:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Firefly Studios
[2009/01/31 15:49:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2008/03/17 11:14:13 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Memeo
[2011/07/31 14:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Origin
[2011/07/04 22:07:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2009/03/03 09:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2011/12/18 12:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2008/09/09 08:56:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SimCity Societies
[2011/06/27 11:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2008/05/05 11:15:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/04/05 11:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/21 11:34:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/11/28 15:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\ElevatedDiagnostics
[2005/01/03 07:19:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\SampleView
[2011/11/30 11:08:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\Template
[2011/06/27 15:30:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\Trusteer
[2011/07/19 15:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\Windows Desktop Search
[2011/07/19 15:31:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan\Application Data\Windows Search

========== Purity Check ==========

========== Custom Scans ==========

< MD5 for: IPSEC.SY_ >
[2004/08/04 13:00:00 | 000,039,596 | ---- | M] () MD5=88DC5CC7670238929F698AFBBC0B5594 -- C:\WINDOWS\I386\IPSEC.SY_

< MD5 for: IPSEC.SYS >
[2008/04/13 20:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ERDNT\cache\ipsec.sys
[2008/04/13 20:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008/04/13 20:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\dllcache\ipsec.sys
[2008/04/13 20:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\drivers\ipsec.sys
[2004/08/04 13:00:00 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys

< MD5 for: NETBT.SY_ >
[2004/08/04 13:00:00 | 000,090,324 | ---- | M] () MD5=7B5A024CC29AEE68A960EF6B09729AFF -- C:\WINDOWS\I386\NETBT.SY_

< MD5 for: NETBT.SYS >
[2004/08/04 13:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008/04/13 20:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008/04/13 20:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\dllcache\netbt.sys
[2008/04/13 20:21:00 | 000,162,816 | ---- | M] () MD5=8FE4D1777E1E2B9118B5B92755FCA71C -- C:\WINDOWS\system32\drivers\netbt.sys

< End of report >

#26
maliprog

Posted 13 May 2012 - 01:10 PM

Trusted Helper

Malware Removal
6,172 posts

We have clean copy of infected driver now. Let's replace it.

Step 1

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\ServicePackFiles\i386\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Step 2

Let's confirm that we replaced driver with clean copy.

Please run Farbar Service Scanner

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Step 3

Please don't forget to include these items in your reply:

The Avenger log
FSS log

It would be helpful if you could post each log in separate post

#27
Jan1959

Posted 13 May 2012 - 02:42 PM

Member

Topic Starter
Member
255 posts

Here is the avenger log but I have a windows message stating that windows has no disk up with 3 codes. The message will not disappear.

Also I seem to be connected back to the internet - I only know this because I now have a windows update in progress icon, I haven't tried to go onto the internet and lastly I don't have a Highjackthis log?

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\netbt.sys|C:\WINDOWS\system32\drivers\netbt.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#28
Jan1959

Posted 13 May 2012 - 02:46 PM

Member

Topic Starter
Member
255 posts

Here is the FSS log

Farbar Service Scanner Version: 11-05-2012
Ran by Jan (administrator) on 13-05-2012 at 21:44:19
Running from "F:\"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000800000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

#29
maliprog

Posted 13 May 2012 - 11:01 PM

Trusted Helper

Malware Removal
6,172 posts

I haven't tried to go onto the internet and lastly I don't have a Highjackthis log?

This was my mistake. I don't need Hijackthis log.

I have a windows message stating that windows has no disk up with 3 codes

Restart your system and if you still get this message please take print screen for me so I can see what is about.

Press Alt and Print Screen button on your keyboard
Open Paint program
From the menu choose Edit then Paste
Now save the picture and attach it here for me.

Also I seem to be connected back to the internet

This is great news! Please go online and see if everything working. Let me know results.

#30
Jan1959

Posted 14 May 2012 - 01:43 AM

Member

Topic Starter
Member
255 posts

The window message box has gone now that I have rebooted the PC.

Windows successfully completed 15 updates.

I have briefly gone onto the internet and it connects to Google etc.

MAMB successfully updated but picked up a file called Trojan.Lameshield which it states is now quarrantined and successfully deleted and Avast also blocked a trojan while MAMB was updating but there isn't a record of it in the virus chest.