Acer Desktop Win XP with rootkits [Solved]

OK. Lets try it from MS.
http://support.micro...om/?kbid=307545

I did all of the steps in Part One step 5 from

md tmp

to

copy c:\windows\repair\default c:\windows\system32\config\default

but when I type exit the computer boots back into the blue screen that leads to the recovery console.

If I use F12 to change to boot to + hard disk, and I pick

Ch2 M. : ST3160023AS

I get only a black screen with a blinking cursor in the top left which will not respond to any key stroke.

If I am supposed to go on through Part Two, that describes using the F8 key which I cannot get to that stage of the boot up.

Edited by clxskeeg, 05 May 2010 - 08:55 AM.

Boot into the Recover Console and try this:
chkdsk /p <--Note the space.

Well, I did the chkdsk and here is what I got





after I typed EXIT, I tried the boot in both CD and hard disk mode, and I got the same results, either boots into setup or boots to black screen with blinking cursor.

By the way, if it matters, this is a 160 GB drive partitioned into 2 80 gigs, C and D , could the malware have constructed a hidden registry somewhere on another part of the drive?

One thing I downloaded at one time was somethig called Kremlin Encrypt, I was suspicious of the program almost immediately, and I uninstalled it, but who knows what it did ultimately.

Edited by clxskeeg, 05 May 2010 - 10:41 AM.

You said you installed erunt. Lets try that

Restoring the registry with ERDNT - Emergency Scenario II
http://www.larsheder...erunt/erunt.txt

It's about 1/2 way down the page.

2. The Windows Recovery Console (Windows 2000 and higher)

I was thinking myself this morning about the ERUNT backups

I think I followed the instructions but there may be problem with folder names or typing in the batch command

I also see I typed the first date wrong as directory name, 04 instead of 4, but it probably would give same results

EDIT I found an ERDNT directory I coukld get into, the second from the top aparrently named "..". I was able to run the commands including batch and it copied about 7 or 8 files. Then I typed exit and took the disk out of the CD drive, and re-booted from the hard drive, but all I can get is a black screen with blinking cursor

Edited by clxskeeg, 05 May 2010 - 12:33 PM.

I tried again and stopped the process as you see on the screen. should I type exit and reboot from hard drive?

Did you wait until it finished copying the files?

Sorry, I see that I wrote "I stopped the process" in the first line, but I did not push any key or type any command, I waited until it stopped copying, the screen stayed as you see it for about 3 hours, then I tried to see if that would load, I typed exit at the bottom line you see, it started to reboot, I set F12 to boot from hard drive, and now I have the black screen with blinking cursor in top left, and pressing any key does nothing. Could this have something to do with the system.bak file I made a while back in this thread?

Edited by clxskeeg, 05 May 2010 - 07:45 PM.

These MBR rootkits can kill the OS and that's what it looks like it did.

Might just as well try fixing the master boot record.

From the Recovery Console type in fixmbr
Exit, reboot and see what happens.

If this doesn't work you're looking at a repair install of Windows

The fix MBR thing seems to have worked, the system booted up to the welcome page with the user account listed, although the second new user account I made to help with the browser crashes is not shown. But I seem to be in a loop, I can't get past the welcome page with the user account, but when I click on the user account, a box comes up with a red X and says

This copy of windows must be activated with Microsoft before you can log on.Do you want to activate Windows now?

But when you click yes it goes back to the welcome page and wants you to click on a turn off the computer button in the lower left, but if you turn it off or restart, it just brings you back to the welcome page with user log in. And I did try this with the computer connected to the Internet through the modem, it did not make things different, still same loop. Apparently I can't get this Windows "activated". And this loop situation does not give any box or fields to type in any codes or keys.

I have got the F8 button back, but I tried to boot with Last Known Good Configuration, and I still get the actvation loop.

Well I tried booting to safe mode (not with networking), and I have the desktop open (so I think the data is still intact), I have the start button and I can get the "Run" box for commands and edits.Can we fix the activation problem from here? I do have a Microsoft XP Disk with holograms and product keys.

Edited by clxskeeg, 05 May 2010 - 09:19 PM.

Open taskmanager (Ctrl/Alt/Del keys)> at the top left, click File> New Task> copy paste this in or type it in:
c:\windows\system32\restore
double click on: rstrui.exe
run it and find a date the pc worked.

Restart PC


If that doesn't work:
Call MS and see what they can do about the activation issue.
If they can't help, I'll see what we can do on our end when I get home from work today.

This is a free service and toll-free call.

1-866-PCSAFETY
or
1-866-727-2338
It is available 24 hours a day for the U.S. and Canada.

For support outside the United States and Canada, please contact your Microsoft Help and Support worldwide. Go to this page and choose your region from the box in the upper right corner: http://support.micro...pr=SecurityHome

Well, I think the problem is solved for now, I got to the system restore and restored to the day just before I did the ComboFix. On reboot, the system did get through to a page where the activation could be started over the phone. I had some trouble initially with secure pages and log ins because the registry fix threw the computer clock way off, when I fixed this everything smoothed out. I did the 3 scans with MBAM, GMER, OTL, and 1 more with MBR.exe. They are all pasted below. They look clean (I guess)except way down at the bottom, this line:


PE file found in sector at 0x012A18AC1 !


I don't know if that is a warning or what.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/6/2010 10:23:37 AM
mbam-log-2010-05-06 (10-23-37).txt

Scan type: Quick scan
Objects scanned: 135712
Time elapsed: 11 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)











GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 10:40:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\fixer\LOCALS~1\Temp\ugldrpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF83CF8AC]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF83CF812]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock

---- EOF - GMER 1.0.15 ----









OTL logfile created on: 5-6-2010 10:47:55 AM - Run 3
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Documents and Settings\fixer\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 427.00 Mb Available Physical Memory | 61.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): c:\pagefile.sys 1056 2112 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.65 Gb Total Space | 2.13 Gb Free Space | 2.94% Space Free | Partition Type: FAT32
Drive D: | 73.43 Gb Total Space | 9.50 Gb Free Space | 12.94% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 564.72 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER
Current User Name: fixer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010-04-27 10:19:24 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\OTL.exe
PRC - [2010-04-26 17:35:24 | 000,238,832 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
PRC - [2010-04-26 17:35:24 | 000,230,664 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
PRC - [2010-04-26 17:35:22 | 000,214,256 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PRC - [2010-04-26 17:35:22 | 000,177,392 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
PRC - [2008-07-07 08:15:18 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008-04-14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007-06-11 05:25:42 | 006,731,312 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
PRC - [2007-05-30 08:31:10 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
PRC - [2007-04-23 11:36:06 | 000,144,960 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
PRC - [2006-11-03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005-06-20 09:03:24 | 000,352,256 | ---- | M] (acer Inc.) -- C:\Program Files\acer\eRecovery\Monitor.exe
PRC - [2005-06-07 20:31:32 | 000,077,824 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2005-06-01 14:23:46 | 000,442,368 | ---- | M] (Acer Inc.) -- C:\Program Files\acer\Acer eConsole\MediaServerService.exe
PRC - [2005-05-13 12:57:00 | 000,143,360 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\VTTrayp.exe
PRC - [2005-05-13 12:57:00 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe


========== Modules (SafeList) ==========

MOD - [2010-04-27 10:19:24 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010-04-26 17:35:24 | 000,238,832 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -- (VETMSGNT)
SRV - [2010-04-26 17:35:22 | 000,214,256 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2008-07-07 08:15:18 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2007-05-30 08:31:10 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) [Auto | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- (AVG Anti-Spyware Guard)
SRV - [2007-04-23 11:36:06 | 000,144,960 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe -- (CAISafe)
SRV - [2006-11-03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005-06-01 14:23:46 | 000,442,368 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Program Files\acer\Acer eConsole\MediaServerService.exe -- (Acer Media Server)


========== Driver Services (SafeList) ==========

DRV - [2010-04-26 19:14:52 | 000,739,696 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\vetefile.sys -- (VETEFILE)
DRV - [2010-04-26 19:14:52 | 000,133,520 | ---- | M] (Computer Associates International, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\veteboot.sys -- (VETEBOOT)
DRV - [2010-04-26 17:35:24 | 000,032,240 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\vetmonnt.sys -- (VETMONNT)
DRV - [2010-04-26 17:35:24 | 000,021,488 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\vetfddnt.sys -- (VETFDDNT)
DRV - [2010-04-26 17:35:24 | 000,021,104 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\vet-rec.sys -- (VET-REC)
DRV - [2010-04-26 17:35:22 | 000,026,352 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\vet-filt.sys -- (VET-FILT)
DRV - [2008-02-27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2008-02-25 12:54:56 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007-05-30 08:10:42 | 000,011,000 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys -- (AVG Anti-Spyware Driver)
DRV - [2007-05-30 08:10:42 | 000,010,872 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AvgAsCln.sys -- (AvgAsCln)
DRV - [2007-04-16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2005-10-17 14:03:14 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2005-06-07 20:31:30 | 002,319,680 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005-03-21 11:00:24 | 000,004,096 | ---- | M] (SuperAdBlocker.com) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\sabprocenum.sys -- (SABProcEnum)
DRV - [2005-02-23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005-01-13 14:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\acer\eRecovery\int15.sys -- (int15.sys)
DRV - [2004-12-17 17:14:44 | 000,013,952 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2003-07-02 04:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2a}:1.3.8
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.71

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2008-11-08 20:25:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2008-11-08 20:25:32 | 000,000,000 | ---D | M]

[2010-04-27 07:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fixer\Application Data\Mozilla\Extensions
[2010-04-27 07:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fixer\Application Data\Mozilla\Firefox\Profiles\gdqbvssn.default\extensions
[2010-04-27 16:48:22 | 000,000,000 | ---D | M] (Linkification) -- C:\Documents and Settings\fixer\Application Data\Mozilla\Firefox\Profiles\gdqbvssn.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
[2010-04-30 23:06:42 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\fixer\Application Data\Mozilla\Firefox\Profiles\gdqbvssn.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010-04-30 23:06:44 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\fixer\Application Data\Mozilla\Firefox\Profiles\gdqbvssn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010-04-27 15:01:54 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\fixer\Application Data\Mozilla\Firefox\Profiles\gdqbvssn.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008-11-08 20:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010-05-03 00:35:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

O1 HOSTS File: ([2008-11-01 08:36:28 | 000,258,369 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 8983 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - No CLSID value found.
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O4 - HKLM..\Run: [!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (GRISOFT s.r.o.)
O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [eRecoveryService] C:\Program Files\acer\eRecovery\Monitor.exe (acer Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 227
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O9 - Extra Button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra 'Tools' menuitem : Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1158766737609 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1163900908375 (MUWebControl Class)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} http://www3.ca.com/s...nfo/webscan.cab (WScanCtl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: vzTCPConfig Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Key error. - Reg Error: Key error. File not found
O20 - Winlogon\Notify\origami: DllName - C:\WINDOWS\system32\hlolink.dll - C:\WINDOWS\System32\hlolink.dll File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005-10-17 14:03:44 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2008-04-14 08:00:00 | 000,000,110 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005-10-17 13:40:32 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010-05-03 19:52:35 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010-05-03 09:18:06 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Calculator Plus
[2010-05-03 07:54:57 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010-05-03 07:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Desktop\desktop texts
[2010-05-03 00:40:18 | 000,000,000 | ---D | C] -- C:\Program Files\CATHY
[2010-05-03 00:35:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010-05-03 00:35:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010-05-03 00:34:48 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010-04-29 14:14:10 | 000,000,000 | ---D | C] -- C:\Program Files\AVI MPEG RM WMV Joiner
[2010-04-29 14:13:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Desktop\Boilsoft_-_Splitter___Joiner
[2010-04-28 15:10:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\AdobeUM
[2010-04-28 15:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Local Settings\Application Data\Adobe
[2010-04-28 15:10:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\My Documents\My eBooks
[2010-04-28 14:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Local Settings\Application Data\Ahead
[2010-04-28 09:43:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Desktop\LOGS&TEXTS
[2010-04-27 22:06:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\WinRAR
[2010-04-27 20:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Sun
[2010-04-27 20:07:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\uTorrent
[2010-04-27 16:40:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Ahead
[2010-04-27 13:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\vlc
[2010-04-27 12:46:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Local Settings\Application Data\Identities
[2010-04-27 11:24:13 | 000,257,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\OTH.scr
[2010-04-27 11:16:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Malwarebytes
[2010-04-27 10:19:24 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\OTL.exe
[2010-04-27 09:55:38 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\TFC.exe
[2010-04-27 07:49:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\My Documents\Downloads
[2010-04-27 07:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Real
[2010-04-27 07:19:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Media Player Classic
[2010-04-27 07:12:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Macromedia
[2010-04-27 07:12:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Adobe
[2010-04-27 07:11:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Local Settings\Application Data\Mozilla
[2010-04-27 07:11:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Mozilla
[2010-04-27 07:00:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Local Settings\Application Data\ApplicationHistory
[2010-04-27 06:44:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Grisoft
[2010-04-27 06:42:25 | 000,000,000 | --SD | C] -- C:\Documents and Settings\fixer\Application Data\Microsoft
[2010-04-27 06:42:25 | 000,000,000 | --SD | C] -- C:\Documents and Settings\fixer\Cookies
[2010-04-27 06:42:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\fixer\SendTo
[2010-04-27 06:42:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\fixer\Recent
[2010-04-27 06:42:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\fixer\Application Data
[2010-04-27 06:42:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\fixer\Start Menu
[2010-04-27 06:42:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\fixer\My Documents\My Pictures
[2010-04-27 06:42:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\fixer\My Documents\My Music
[2010-04-27 06:42:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\fixer\My Documents
[2010-04-27 06:42:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\fixer\Favorites
[2010-04-27 06:42:25 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\fixer\IETldCache
[2010-04-27 06:42:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\fixer\Templates
[2010-04-27 06:42:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\fixer\PrintHood
[2010-04-27 06:42:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\fixer\NetHood
[2010-04-27 06:42:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\fixer\Local Settings
[2010-04-27 06:42:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\WINDOWS
[2010-04-27 06:42:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Symantec
[2010-04-27 06:42:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Local Settings\Application Data\Microsoft
[2010-04-27 06:42:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Application Data\Identities
[2010-04-27 06:42:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fixer\Desktop
[2010-04-27 06:31:03 | 000,000,000 | ---D | C] -- C:\Program Files\VIA
[2010-04-26 23:32:27 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek Sound Manager
[2010-04-26 21:19:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2010-04-26 19:30:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010-04-26 19:30:08 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010-04-26 19:30:01 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010-04-26 18:57:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010-04-26 17:35:28 | 000,739,696 | ---- | C] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetefile.sys
[2010-04-26 17:35:28 | 000,133,520 | ---- | C] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\veteboot.sys
[42 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010-05-06 11:11:42 | 004,456,448 | ---- | M] () -- C:\Documents and Settings\fixer\ntuser.dat
[2010-05-06 09:59:56 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010-05-06 09:41:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-05-06 09:40:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2010-05-06 09:39:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-05-06 09:39:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-05-06 09:39:00 | 737,726,464 | -HS- | M] () -- C:\hiberfil.sys
[2010-05-06 09:39:00 | 000,171,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010-05-06 09:38:04 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\fixer\ntuser.ini
[2010-05-02 23:59:52 | 737,755,136 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010-05-02 18:01:32 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\fixer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-05-02 17:58:58 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010-04-29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-04-29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-04-29 14:14:14 | 000,000,601 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\AVI MPEG RM WMV Joiner.lnk
[2010-04-29 00:37:40 | 000,000,031 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\rapidsharehack.bat
[2010-04-28 18:05:42 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\Shortcut to eBay_photos.lnk
[2010-04-28 05:47:12 | 000,526,522 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-04-27 22:54:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-04-27 16:42:12 | 000,000,098 | ---- | M] () -- C:\Documents and Settings\fixer\default.pls
[2010-04-27 13:02:12 | 000,705,736 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\desktop texts.zip
[2010-04-27 11:24:16 | 000,257,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\OTH.scr
[2010-04-27 11:16:10 | 000,000,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-04-27 10:19:24 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\OTL.exe
[2010-04-27 10:09:18 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\gmer.zip
[2010-04-27 09:55:40 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fixer\Desktop\TFC.exe
[2010-04-27 08:23:32 | 000,000,564 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\Shortcut to Downloads.lnk
[2010-04-27 07:58:44 | 000,000,484 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\fix.reg
[2010-04-27 07:49:20 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\fixer\Desktop\mbr.exe
[2010-04-27 07:07:24 | 000,000,006 | ---- | M] () -- C:\ISACER.ID
[2010-04-27 01:57:58 | 000,001,510 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010-04-27 00:10:14 | 000,001,427 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AvRack.lnk
[2010-04-26 19:14:52 | 000,739,696 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetefile.sys
[2010-04-26 19:14:52 | 000,133,520 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\veteboot.sys
[2010-04-26 17:35:24 | 000,032,240 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetmonnt.sys
[2010-04-26 17:35:24 | 000,021,488 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetfddnt.sys
[2010-04-26 17:35:24 | 000,021,104 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-rec.sys
[2010-04-26 17:35:22 | 000,026,352 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-filt.sys

========== Files Created - No Company Name ==========

[2010-05-03 07:02:53 | 000,705,736 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\desktop texts.zip
[2010-05-03 01:34:39 | 004,456,448 | ---- | C] () -- C:\Documents and Settings\fixer\ntuser.dat
[2010-04-29 14:14:13 | 000,000,601 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\AVI MPEG RM WMV Joiner.lnk
[2010-04-29 00:37:39 | 000,000,031 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\rapidsharehack.bat
[2010-04-28 18:05:46 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\Shortcut to eBay_photos.lnk
[2010-04-27 16:42:11 | 000,000,098 | ---- | C] () -- C:\Documents and Settings\fixer\default.pls
[2010-04-27 13:23:28 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\fixer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-04-27 10:09:15 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\gmer.zip
[2010-04-27 08:23:30 | 000,000,564 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\Shortcut to Downloads.lnk
[2010-04-27 07:58:42 | 000,000,484 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\fix.reg
[2010-04-27 07:49:22 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\mbr.exe
[2010-04-27 07:21:14 | 000,000,281 | ---- | C] () -- C:\Documents and Settings\fixer\Desktop\Shortcut to 001-BURN.lnk
[2010-04-27 06:42:24 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\fixer\ntuser.dat.LOG
[2010-04-27 06:42:24 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\fixer\ntuser.ini
[2010-04-27 00:10:07 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2010-04-26 23:32:27 | 000,001,427 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AvRack.lnk
[2010-04-26 23:30:54 | 000,000,006 | ---- | C] () -- C:\ISACER.ID
[2010-04-26 19:11:10 | 000,001,374 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2008-11-08 19:58:04 | 000,000,082 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008-04-05 20:07:57 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008-04-05 20:07:55 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007-11-30 23:03:11 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007-08-19 11:29:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2007-08-18 10:12:29 | 000,077,312 | ---- | C] () -- C:\WINDOWS\ua2.dll
[2007-05-27 18:06:52 | 000,000,165 | ---- | C] () -- C:\WINDOWS\kpcms.ini
[2007-05-27 18:06:50 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2007-05-27 18:06:49 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2007-02-22 10:34:35 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2006-11-25 21:09:58 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\libssl32.dll
[2006-10-12 23:36:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2006-09-20 13:10:59 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006-09-20 12:18:50 | 000,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2006-09-17 19:08:56 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006-05-10 14:26:26 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2006-05-10 12:50:04 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006-05-10 12:45:27 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX3800.ini
[2006-04-16 16:37:15 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2005-10-17 14:29:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005-10-17 14:04:04 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005-10-17 14:03:16 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005-10-17 14:03:16 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005-10-17 14:03:16 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005-10-17 14:03:16 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005-10-17 13:59:16 | 000,156,672 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005-10-17 13:54:34 | 000,008,073 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005-10-17 13:48:30 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005-10-17 13:39:11 | 000,022,040 | ---- | C] () -- C:\WINDOWS\System32\_004683_.tmp.dll
[2005-10-17 13:39:03 | 000,249,270 | ---- | C] () -- C:\WINDOWS\System32\_004715_.tmp.dll
[2005-03-01 15:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2004-12-17 17:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004-03-18 18:40:32 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004-03-18 18:40:24 | 000,667,648 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2003-02-18 18:26:28 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2001-12-26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001-09-03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001-07-30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001-07-23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1980-01-01 00:00:00 | 000,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini

========== LOP Check ==========

[2007-02-20 12:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2007-06-18 00:11:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2007-09-28 12:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2008-10-11 19:33:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010-04-27 06:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fixer\Application Data\Grisoft
[2010-04-27 20:07:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fixer\Application Data\uTorrent
[2010-05-06 09:59:56 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005-10-17 14:30:30 | 000,000,076 | RHS- | M] () -- C:\PRELOAD.AAA
[2010-05-06 09:39:00 | 1106,485,248 | -HS- | M] () -- C:\pagefile.sys
[2007-09-28 12:12:54 | 000,012,559 | ---- | M] () -- C:\caisslog.txt
[2010-05-06 09:39:00 | 737,726,464 | -HS- | M] () -- C:\hiberfil.sys
[2008-11-22 10:09:00 | 000,000,282 | -HS- | M] () -- C:\boot.ini
[2010-04-27 07:07:24 | 000,000,006 | ---- | M] () -- C:\ISACER.ID
[2005-10-17 13:51:06 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005-10-17 14:03:44 | 000,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005-10-17 13:51:06 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2005-10-17 13:51:06 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008-04-05 19:33:54 | 064,045,056 | ---- | M] () -- C:\bb.mpg
[2007-02-09 13:27:20 | 000,006,172 | ---- | M] () -- C:\caavsetup.log
[2006-06-28 19:40:08 | 000,007,417 | ---- | M] () -- C:\threatalerts.txt
[2006-06-28 19:40:08 | 000,000,430 | ---- | M] () -- C:\f114ece6-22ef-4da5-9128-6e38f5840260.cab
[2008-11-01 05:48:08 | 000,259,299 | ---- | M] () -- C:\rapport.txt
[2010-05-06 10:11:24 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2006-10-26 10:37:26 | 000,000,000 | ---- | M] () -- C:\sms.7
[2006-10-26 10:37:26 | 000,000,000 | ---- | M] () -- C:\sms.8
[2006-10-26 10:37:26 | 000,000,000 | ---- | M] () -- C:\sms.9
[2006-10-26 10:38:02 | 000,000,000 | ---- | M] () -- C:\sms.c
[2007-09-28 12:09:20 | 000,035,699 | ---- | M] () -- C:\caavsetupLog.txt
[2007-01-13 10:41:42 | 000,000,000 | ---- | M] () -- C:\s3a4.4
[2007-01-13 10:41:44 | 000,000,000 | ---- | M] () -- C:\s3a4.7
[2007-01-13 10:41:44 | 000,000,000 | ---- | M] () -- C:\s3a4.8
[2007-01-13 10:41:46 | 000,000,000 | ---- | M] () -- C:\s3a4.9
[2007-01-13 10:41:46 | 000,000,000 | ---- | M] () -- C:\s3a4.a
[2007-01-13 10:41:46 | 000,000,000 | ---- | M] () -- C:\s3a4.b
[2007-01-13 10:41:46 | 000,000,000 | ---- | M] () -- C:\s3a4.c
[2007-06-09 21:29:02 | 000,001,766 | ---- | M] () -- C:\avenger.txt
[2004-08-03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2007-02-22 10:42:24 | 000,000,063 | ---- | M] () -- C:\avone.ini
[2008-08-08 11:01:30 | 000,259,690 | ---- | M] () -- C:\r0a1p7p0o5rt.txt
[2008-11-01 05:36:56 | 000,001,878 | ---- | M] () -- C:\rapport11-1.txt
[2008-11-01 05:41:16 | 000,259,298 | ---- | M] () -- C:\rapport11-1a.txt
[2008-11-01 05:46:52 | 000,001,878 | ---- | M] () -- C:\rapport11-1safe.txt
[2008-11-01 05:49:00 | 000,259,296 | ---- | M] () -- C:\rapport11-1a-safe.txt
[2008-04-19 14:11:40 | 000,000,211 | -HS- | M] () -- C:\Boot.bak
[2008-04-14 12:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008-04-14 12:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008-11-09 17:52:42 | 002,072,576 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
[2008-11-09 17:52:42 | 017,039,360 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008-11-09 17:52:42 | 003,026,944 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008-11-09 17:38:20 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010-02-11 08:02:16 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
[2010-04-26 19:14:52 | 000,739,696 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\system32\drivers\vetefile.sys
[2010-04-26 17:35:22 | 000,026,352 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\system32\drivers\vet-filt.sys
[2010-02-24 09:11:08 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010-04-26 17:35:24 | 000,021,104 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\system32\drivers\vet-rec.sys
[2010-04-29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010-04-26 17:35:24 | 000,021,488 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\system32\drivers\vetfddnt.sys
[2010-04-29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010-04-26 17:35:24 | 000,032,240 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\system32\drivers\vetmonnt.sys
[2010-04-26 19:14:52 | 000,133,520 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\system32\drivers\veteboot.sys
< End of report >









Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x012A18AC1 !




MBAM log GMER log OTL log MBR log

Edited by clxskeeg, 06 May 2010 - 10:29 AM.

I will look through the scans in about 4 hrs.

I do see that we need to do something about the O1 HOSTS File