Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Sality.T and possible variants.


  • Please log in to reply

#1
umrahel

umrahel

    New Member

  • Member
  • Pip
  • 1 posts
Hi,

First of all thank you guys for this website. I'm having serious network problems, connection time outs to facebook, very high ping times in MMOs. I'm pretty sure it's Sality since I've used f4ck sality and sality killer tools and have edited the registry, but whatever I do malware seems to comeback again.

And top of it all this problem's happening on a 30 XP based network. I'm hoping some expert will lead me in the right direction since I'm at a loss what to do to get rid of this cancer. Keep in mind Faronics' Deep Freeze was installed on the network.

Below OTL log one of the infected PCs,


OTL logfile created on: 11.03.2014 14:39:38 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041F | Country: Türkiye | Language: TRK | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,52 Gb Available Physical Memory | 76,22% Memory free
3,85 Gb Paging File | 3,55 Gb Available in Paging File | 92,17% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 152,59 Gb Total Space | 83,66 Gb Free Space | 54,83% Space Free | Partition Type: NTFS
Drive D: | 313,17 Gb Total Space | 132,15 Gb Free Space | 42,20% Space Free | Partition Type: NTFS

Computer Name: FORM27 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014.03.11 14:36:07 | 002,271,232 | ---- | M] () -- C:\WINDOWS\system32\asinjsvc32.exe
PRC - [2014.03.11 14:35:59 | 000,207,360 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\ckserver.exe
PRC - [2014.03.11 14:35:49 | 000,349,696 | ---- | M] (Hyper Technologies Inc.) -- C:\Program Files\HyperTechnologies\Deep Freeze\_$Df\FrzState.exe
PRC - [2014.03.04 17:02:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.com
PRC - [2014.02.27 14:06:13 | 000,516,608 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\cplusinject.exe
PRC - [2013.12.18 21:05:43 | 000,182,696 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2013.06.12 22:15:14 | 004,409,856 | ---- | M] () -- C:\AKINSOFT\CafePlusFilter1\cafeplusfilter.exe
PRC - [2013.06.12 22:14:40 | 000,521,728 | ---- | M] () -- C:\AKINSOFT\CafePlusFilter1\cafeplusfilterinject.exe
PRC - [2009.11.18 14:23:36 | 006,516,736 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\CplusC.exe
PRC - [2009.04.02 17:07:26 | 001,766,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002.09.20 14:27:26 | 000,271,360 | ---- | M] (Hyper Technologies Inc.) -- C:\Program Files\HyperTechnologies\Deep Freeze\DFServEx.exe


========== Modules (No Company Name) ==========

MOD - [2014.03.11 14:36:08 | 000,287,232 | ---- | M] () -- C:\WINDOWS\system32\akinsofthook32.dll
MOD - [2014.03.11 14:36:07 | 002,271,232 | ---- | M] () -- C:\WINDOWS\system32\asinjsvc32.exe
MOD - [2014.03.11 14:35:59 | 000,207,360 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\ckserver.exe
MOD - [2014.03.11 14:35:58 | 000,028,672 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\dllworks.dll
MOD - [2014.03.11 14:35:58 | 000,016,415 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\keylock.dll
MOD - [2014.02.27 14:06:13 | 000,516,608 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\cplusinject.exe
MOD - [2013.06.12 22:15:14 | 004,409,856 | ---- | M] () -- C:\AKINSOFT\CafePlusFilter1\cafeplusfilter.exe
MOD - [2013.06.12 22:14:40 | 000,521,728 | ---- | M] () -- C:\AKINSOFT\CafePlusFilter1\cafeplusfilterinject.exe
MOD - [2009.11.18 14:23:36 | 006,516,736 | ---- | M] () -- C:\Program Files\AKINSOFT\Cplus9\Client9\CplusC.exe
MOD - [2009.02.11 23:30:02 | 000,190,976 | ---- | M] () -- C:\WINDOWS\system32\WgaLogon.dll
MOD - [2008.09.16 19:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2002.09.20 14:30:44 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LogonDll.dll


========== Services (SafeList) ==========

SRV - [2014.03.11 14:36:07 | 002,271,232 | ---- | M] () [On_Demand | Running] -- C:\WINDOWS\system32\asinjsvc32.exe -- (akinsofthookinjectionservice)
SRV - [2014.02.27 14:06:13 | 000,516,608 | ---- | M] () [Auto | Running] -- C:\Program Files\AKINSOFT\Cplus9\Client9\cplusinject.exe -- (CafePlusServiceMain)
SRV - [2013.12.18 21:05:43 | 000,182,696 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013.07.25 08:10:04 | 000,162,672 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013.06.12 22:14:40 | 000,521,728 | ---- | M] () [Auto | Running] -- C:\AKINSOFT\CafePlusFilter1\cafeplusfilterinject.exe -- (CafePlusFilterServiceMain)
SRV - [2002.09.20 14:27:26 | 000,271,360 | ---- | M] (Hyper Technologies Inc.) [Auto | Running] -- C:\Program Files\HyperTechnologies\Deep Freeze\DFServEx.exe -- (DFServEx)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva407.sys -- (XDva407)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva405.sys -- (XDva405)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva402.sys -- (XDva402)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva401.sys -- (XDva401)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva400.sys -- (XDva400)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva399.sys -- (XDva399)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva394.sys -- (XDva394)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\XDva393.sys -- (XDva393)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\KURULU OYUNLAR\Knight Online\APR.sys -- (APR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\SoftnyxGame\WolfTeamTS\apf001.sys -- (apf001)
DRV - [2014.03.11 14:36:06 | 000,002,560 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mchInjDrv.sys -- (mchInjDrv)
DRV - [2013.12.26 14:44:50 | 000,243,128 | ---- | M] (Disc Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2009.10.21 16:28:42 | 005,934,592 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2009.09.04 07:46:08 | 000,045,056 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2008.08.05 14:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2006.02.26 17:02:48 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2006.01.04 09:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2002.09.20 14:28:48 | 000,012,288 | ---- | M] (HyperTechnologies Inc.) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\DepFrzHi.sys -- (DepFrzHi)
DRV - [2002.09.20 14:28:28 | 000,053,605 | ---- | M] (Hyper Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\DepFrzLo.sys -- (DepFrzLo)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {C334D475-FE3C-45DC-B362-B3F32F7B5843}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{C334D475-FE3C-45DC-B362-B3F32F7B5843}: "URL" = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "google.com"
FF - prefs.js..browser.search.selectedEngine: "google.com"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}:6.0.34
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}:6.0.38
FF - prefs.js..extensions.enabledAddons: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.03.27 10:39:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.08.22 23:29:29 | 000,000,000 | ---D | M]

[2010.04.25 15:29:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010.04.25 15:29:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l94ab9bp.default\extensions
[2014.03.11 14:36:13 | 000,000,322 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l94ab9bp.default\searchplugins\as.xml
[2013.02.21 00:14:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.02.11 11:03:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011.03.27 10:39:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2012.08.22 23:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}
[2012.12.21 23:53:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
[2010.04.27 20:25:21 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE1.6.0_13\LIB\DEPLOY\JQS\FF
[2011.03.18 20:07:32 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010.01.01 10:00:00 | 000,001,182 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-tr.xml
[2010.01.01 10:00:00 | 000,000,956 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-tr.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\33.0.1750.117\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\33.0.1750.117\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\33.0.1750.117\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: Microsoft® DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft® DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U38 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.380.5 (Enabled) = C:\WINDOWS\system32\npdeployJava1.dll
CHR - Extension: Google Cüzdan = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\

O1 HOSTS File: ([2011.04.06 15:03:56 | 000,000,734 | ---- | M]) - C:\WINDOWS\System32\Drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Bağı Yardımı) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [AKINSOFT CafeFilter] C:\AKINSOFT\CafePlusFilter1\cafeplusfilter.exe ()
O4 - HKLM..\Run: [CafePlus Client] C:\Program Files\AKINSOFT\Cplus9\Client9\CplusC.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Shadow Defender Daemon] "C:\Program Files\Shadow Defender\DefenderDaemon.exe" /Auto File not found
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (Disc Soft Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun: NoDriveTypeAutoRun = 177
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDeletePrinter = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAddPrinter = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSecCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoPwdPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoProfilePage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDevMgrPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoConfigPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoFileSysPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVirtMemPage = 0
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{55DCE7F7-43EA-455C-A1B1-55A7029F2019}: NameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\DfLogon: DllName - (LogonDll.dll) - C:\WINDOWS\System32\LogonDll.dll ()
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll ()
O24 - Desktop Components:0 (Geçerli Giriş Sayfam) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2010.04.23 17:32:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7bd87339-6e25-11e3-9f4d-a1f7d3fc9328}\Shell\auTOpLaY\CoMmAnd - "" = E:\hjmv.exe
O33 - MountPoints2\{7bd87339-6e25-11e3-9f4d-a1f7d3fc9328}\Shell\AutoRun\command - "" = E:\hjmv.exe
O33 - MountPoints2\{7bd87339-6e25-11e3-9f4d-a1f7d3fc9328}\Shell\exploRe\commAND - "" = E:\hjmv.exe
O33 - MountPoints2\{7bd87339-6e25-11e3-9f4d-a1f7d3fc9328}\Shell\oPen\coMMand - "" = E:\hjmv.exe
O33 - MountPoints2\{b139dc64-7664-11e0-adb7-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{b139dc64-7664-11e0-adb7-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2014.03.11 14:39:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.com
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014.03.11 14:40:01 | 000,441,128 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2014.03.11 14:40:01 | 000,428,358 | ---- | M] () -- C:\WINDOWS\System32\perfh01F.dat
[2014.03.11 14:40:01 | 000,081,462 | ---- | M] () -- C:\WINDOWS\System32\perfc01F.dat
[2014.03.11 14:40:01 | 000,071,254 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2014.03.11 14:36:08 | 000,287,232 | ---- | M] () -- C:\WINDOWS\System32\akinsofthook32.dll
[2014.03.11 14:36:08 | 000,041,592 | ---- | M] () -- C:\WINDOWS\System32\akinsofthookdriver32.sys
[2014.03.11 14:36:07 | 002,271,232 | ---- | M] () -- C:\WINDOWS\System32\asinjsvc32.exe
[2014.03.11 14:36:06 | 000,002,560 | ---- | M] () -- C:\WINDOWS\System32\drivers\mchInjDrv.sys
[2014.03.11 14:35:50 | 000,203,188 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2014.03.11 14:35:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014.03.04 17:02:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.com
[2014.02.27 14:14:06 | 000,001,132 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-299502267-682003330-500UA.job
[2014.02.27 14:14:04 | 000,002,358 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2014.02.27 14:14:04 | 000,002,340 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2014.02.27 14:11:00 | 000,001,080 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-299502267-682003330-500Core.job
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013.12.26 19:44:47 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\LogonDll.dll
[2013.06.12 22:15:23 | 000,287,232 | ---- | C] () -- C:\WINDOWS\System32\akinsofthook32.dll
[2013.06.12 22:15:23 | 000,041,592 | ---- | C] () -- C:\WINDOWS\System32\akinsofthookdriver32.sys
[2013.06.12 22:15:19 | 002,271,232 | ---- | C] () -- C:\WINDOWS\System32\asinjsvc32.exe
[2010.04.26 16:49:59 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2010.04.25 15:44:26 | 000,022,328 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
[2010.04.23 17:37:46 | 000,213,512 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

========== ZeroAccess Check ==========

[2010.04.23 17:36:53 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009.04.02 17:17:22 | 002,792,960 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2008.04.15 14:00:00 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.15 14:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013.12.26 15:25:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\.minecraft
[2010.04.26 10:23:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\2K Sports
[2010.04.26 11:03:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Activision
[2013.12.26 18:07:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\bizarre creations
[2010.04.25 20:41:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BlackBean
[2013.12.26 14:47:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Lite
[2010.04.23 17:42:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Desktopicon
[2010.04.25 18:01:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2012.12.22 00:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LolClient
[2010.04.24 17:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\My Battle for Middle-earth™ II Files
[2010.04.27 20:35:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
[2010.04.23 17:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Orbit
[2010.04.27 15:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Red Alert 3 Uprising
[2013.12.26 17:09:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Rovio
[2013.12.26 17:33:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Rovio Entertainment Ltd
[2010.04.27 17:50:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sierra
[2011.02.12 17:03:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sports Interactive
[2010.04.25 19:47:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activision
[2010.04.26 09:52:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Codemasters
[2013.12.26 14:47:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010.04.27 14:11:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2011.02.12 15:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\KONAMI
[2013.12.26 14:56:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Package Cache
[2010.04.26 11:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
[2010.04.26 15:56:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010.04.26 14:59:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}

========== Purity Check ==========



< End of report >

Edited by umrahel, 11 March 2014 - 07:26 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP