Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site Check Our Facebook Page!
Notices
Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.


Register your FREE account to unlock additional features at WindowsBBS.com
   
 
 
LinkBack Thread Tools
Old 23rd December 2010   #1
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

[Resolved] Cannot access Windows update - malware involved?


2 days ago a popup asked me to buy a defrag software. I forced a power off on the computer and afterwards got messages saying the disk was full, the memory was full, etc... Booting Ubuntu from a USB key, I deleted all exe files in the windows folder (they all had a date and time stamp close enough from the popup and had names beginning with the letter Q).

I then rebooted and ran autorun from Microsoft. I unchecked everything I thought was suspicious. Some of the unchecked items would reappear copied and checked after a reboot... I tried to update Windows but could not reach the web page! I downloaded sp3 from another computer and installed it. Unlucky... The web page is still not available.

Then I got to a web page from you guys. I understood I went maybe too far on my own.

Here are the log files from Malwarebytes, GMER, MBRCheck, and DDS:

MALWAREBYTES:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Version de la base de données: 5384

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

2010-12-23 10:45:07
mbam-log-2010-12-23 (10-45-07).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 159055
Temps écoulé: 1 minute(s), 42 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 1
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 3

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
c:\WINDOWS\msh4cota.oka.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.


GMER:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-23 10:57:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3750330AS rev.SD15
Running: jbi0n2wm.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 9A0B8C76 ZwCreateKey
SSDT 9A0B8C6C ZwCreateThread
SSDT 9A0B8C7B ZwDeleteKey
SSDT 9A0B8C85 ZwDeleteValueKey
SSDT 9A0B8C8A ZwLoadKey
SSDT 9A0B8C58 ZwOpenProcess
SSDT 9A0B8C5D ZwOpenThread
SSDT 9A0B8C94 ZwReplaceKey
SSDT 9A0B8C8F ZwRestoreKey
SSDT 9A0B8C80 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

? ocfdwlrg.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AA000A
.text C:\WINDOWS\Explorer.EXE[220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\Explorer.EXE[220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00419330 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 004193A0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00419220 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00419170 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 004192F0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 004191B0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00419260 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 004191E0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004192A0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00419130 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D1000C
.text C:\WINDOWS\System32\svchost.exe[1788] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F4000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[220] @ C:\WINDOWS\Explorer.EXE [USER32.dll!ExitWindowsEx] [01CF1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\WINDOWS\Explorer.EXE[220] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [01CF1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE[1236] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [022D1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1348] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\RemoteAgent64\Bin\EventServer.exe[1364] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\WINDOWS\RTHDCPL.EXE[1372] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1380] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [01791940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe[1388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00C61940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\WINDOWS\SMINST\Scheduler.exe[1412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[1428] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[1440] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00DA1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [02AF1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\HPQ\IAM\bin\asghost.exe[1948] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [01DB1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2008] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
IAT C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00F31940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)

---- Devices - GMER 1.0.15 ----

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3750330AS_____________________________SD15____#5&288f8644&0&0 .0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

MBRCHECK:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0006001c

Kernel Drivers (total 156):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0x8B2EB000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xBA0A8000 ocfdwlrg.sys
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0B8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0C8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AA000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0D8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0E8000 disk.sys
0xBA0F8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xB9EC3000 DRVMCDB.SYS
0xBA108000 PxHelp20.sys
0xB9EAC000 KSecDD.sys
0xB9E1F000 Ntfs.sys
0xB9DF2000 NDIS.sys
0xBA4C0000 Gernuwa.sys
0xB9DD8000 Mup.sys
0xB8539000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8525000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB90B3000 \SystemRoot\system32\drivers\aw_host5.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\HECI.sys
0xB84EC000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xB8863000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB84C8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB885B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB84A0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8853000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB884B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB848C000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB90AF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8843000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS
0xBA2E8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5D6000 \??\C:\WINDOWS\system32\drivers\UBHelper.sys
0xBA2F8000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xBA5D8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA308000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA318000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8469000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA5DA000 \??\C:\WINDOWS\system32\drivers\NTIDrvr.sys
0xBA128000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB909B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA708000 \SystemRoot\system32\DRIVERS\rminiv3.sys
0xB844E000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA709000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA138000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9093000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8437000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA148000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA158000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB883B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8426000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA168000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8833000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB882B000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA178000 \SystemRoot\system32\DRIVERS\tap0801.sys
0xB8823000 \SystemRoot\system32\DRIVERS\pppop.sys
0xB840F000 \SystemRoot\system32\DRIVERS\VBoxNetAdp.sys
0xB83DF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB83C5000 \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys
0xBA5DC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB881B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9063000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9023000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5F0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA0FCD000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA0FA9000 \SystemRoot\system32\drivers\portcls.sys
0xA5B65000 \SystemRoot\system32\drivers\drmk.sys
0x9A2DE000 \SystemRoot\System32\drivers\psd.sys
0xBA628000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9A1CF000 \SystemRoot\System32\Drivers\Null.SYS
0xBA62A000 \SystemRoot\System32\Drivers\Beep.SYS
0x9A2CE000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0x9A43E000 \??\C:\WINDOWS\system32\rserver30\raddrvv3.sys
0x9A2C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x9A2BE000 \SystemRoot\System32\drivers\vga.sys
0xBA62C000 \SystemRoot\system32\drivers\awechomd.sys
0x9A161000 \SystemRoot\System32\Drivers\awlegacy.sys
0xBA62E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA632000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9A2B6000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9A2AE000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9A15D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x99D36000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x99CDD000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x99CB5000 \SystemRoot\system32\DRIVERS\netbt.sys
0x99C8F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x99C6D000 \SystemRoot\System32\drivers\afd.sys
0x9A42E000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9A40E000 \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
0x99C50000 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
0x9A2A6000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x99C25000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9A3FE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x99BB5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9A3EE000 \SystemRoot\System32\Drivers\Fips.SYS
0x99B92000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xBA636000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x99E85000 \SystemRoot\System32\Drivers\ASPI32.SYS
0x9A05D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x99E71000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x9A267000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA65ED000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA6FAA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x9A257000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9CF1000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x9A247000 \SystemRoot\System32\Drivers\nx6000.sys
0x99B74000 \SystemRoot\System32\Drivers\usbvideo.sys
0x9A237000 \SystemRoot\system32\drivers\usbaudio.sys
0x99B5C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA646000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA6FB6000 \SystemRoot\System32\drivers\Dxapi.sys
0x9A04D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6D9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0DC000 \SystemRoot\System32\ati3duag.dll
0xBF37D000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x97B47000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x9E312000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA77F000 \SystemRoot\System32\DLA\DLADResM.SYS
0x97B2F000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0x99DA9000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0x9BE6D000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0x99DA1000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0x99D99000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x97B19000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x97B02000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0x9C403000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x979E5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x97980000 \SystemRoot\system32\drivers\wdmaud.sys
0x9F040000 \SystemRoot\system32\drivers\sysaudio.sys
0x96BFF000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0x968ED000 \SystemRoot\system32\DRIVERS\srv.sys
0x968AD000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapow.sys
0x95F70000 \SystemRoot\System32\Drivers\HTTP.sys
0x95D18000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
1992 C:\WINDOWS\system32\smss.exe
316 csrss.exe
344 C:\WINDOWS\system32\winlogon.exe
388 C:\WINDOWS\system32\services.exe
400 C:\WINDOWS\system32\lsass.exe
656 C:\WINDOWS\system32\ati2evxx.exe
672 C:\WINDOWS\system32\svchost.exe
752 svchost.exe
1788 C:\WINDOWS\system32\svchost.exe
1972 svchost.exe
852 svchost.exe
1084 C:\WINDOWS\system32\spoolsv.exe
1216 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1256 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1328 svchost.exe
1704 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1924 C:\WINDOWS\system32\ati2evxx.exe
1948 C:\Program Files\HPQ\IAM\Bin\asghost.exe
220 C:\WINDOWS\explorer.exe
1236 C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
1348 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
1364 C:\Program Files\RemoteAgent64\Bin\EventServer.exe
1372 C:\WINDOWS\RTHDCPL.exe
1380 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1388 C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
1404 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1412 C:\WINDOWS\SMINST\Scheduler.exe
1428 C:\WINDOWS\system32\ctfmon.exe
1440 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
1468 C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
1636 C:\WINDOWS\system32\svchost.exe
1780 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
2080 E:\cygwin\bin\cygrunsrv.exe
2360 C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
2756 E:\cygwin\bin\exim-4.69-1.exe
2812 C:\WINDOWS\system32\IFXSPMGT.exe
3460 C:\WINDOWS\system32\IFXTCS.exe
3956 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
3992 C:\Program Files\Java\jre6\bin\jqs.exe
4016 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
276 C:\Program Files\Microsoft LifeCam\MSCamS32.exe
476 C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe
1184 C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
1228 C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
1568 C:\WINDOWS\system32\svchost.exe
2732 C:\Program Files\TightVNC\WinVNC.exe
3024 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
3052 C:\WINDOWS\system32\wuauclt.exe
2488 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2008 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3384 wmiprvse.exe
2112 C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
2612 alg.exe
3192 C:\Documents and Settings\Administrator\Desktop\malware\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`a0f85600 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000012`a14c0000 (NTFS)

PhysicalDrive0 Model Number: ST3750330AS, Rev: SD15

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 0C62942DB383379A3F323ED173858423662B0152


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

DDS:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 10:59:36,32 on 2010-12-23
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professionnel 5.1.2600.3.1252.2.1033.18.3583.2983 [GMT -5:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\RemoteAgent64\Bin\EventServer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
e:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
e:\cygwin\bin\exim-4.69-1.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EventServer] c:\program files\remoteagent64\bin\EventServer.exe /h
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motion~1.lnk - c:\program files\panasonic\motionsd studio\sd_browser\AutoLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\eventl~1.lnk - c:\program files\jm integrated remote station\cms\EventLogger.exe
mPolicies-system: DisableCAD = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.254.18.46:100/RemoteWeb.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} - hxxp://216.215.157.230/SpecoRemote.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.254.18.46:100/VideoViewer.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200348910062
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://192.168.200.100/dcsclictrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} - hxxp://demopc8p24.dss.com.tw:1700/WebCamX.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} - hxxp://www.dvrhost.com/control/viewer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.30.165.22:8080/activex/AMC.cab
DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} - hxxp://www.bms2000.org/BMS2000_Access_Control.ocx
Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\impotrapide 2008\ic2008pp.dll
Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - c:\program files\impotrapide 2009\ic2009pp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli AsWlnPkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xcprpuph.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {89489159-3FA0-49AC-968A-7C3E455F74FB} - c:\documents and settings\danny\local settings\application data\{89489159-3FA0-49AC-968A-7C3E455F74FB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-6 11608]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-6 31104]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-9-15 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-9-15 41680]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2009-5-6 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-6 267944]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 60936]
R2 exim;Exim;e:\cygwin\bin\cygrunsrv.exe [2008-12-19 68096]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-2-6 518688]
R2 NovacomD;Palm Novacom;c:\program files\palm\sdk\bin\novacom\x86\novacomd.exe [2009-8-3 31232]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-5-8 45312]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-11 36608]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-3-19 30576]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-2-3 36384]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2004-7-31 23552]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-9-15 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-2-12 110096]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-7 133104]
S3 awhost32;Service Elève pcAnywhere;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-5 106496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 RServer3;Radmin Server V3;"c:\windows\system32\rserver30\rserver3.exe" /service --> c:\windows\system32\rserver30\RServer3.exe [?]

=============== Created Last 30 ================

2010-12-23 15:41:41 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-12-23 15:41:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-23 15:41:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-23 15:41:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-23 15:41:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-23 05:28:21 -------- d-----w- c:\docume~1\admini~1\applic~1\Avira
2010-12-23 03:45:48 33792 ------w- c:\windows\system32\dllcache\custsat.dll
2010-12-23 03:44:26 -------- d-----w- c:\windows\network diagnostic
2010-12-23 03:26:37 -------- d-----w- c:\program files\autorun
2010-12-23 03:13:52 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
2010-12-20 12:30:03 0 ----a-w- c:\windows\Ibilodobuvog.bin

==================== Find3M ====================

2010-12-10 13:28:01 1080 ----a-w- c:\windows\AUTOLNCH.REG
2009-03-05 22:49:01 224256 ----a-w- c:\program files\fentun.exe
2008-08-06 21:27:08 3520552 ----a-w- c:\program files\procexp.exe
2007-05-17 14:56:26 172032 ----a-w- c:\program files\puttygen.exe
2007-05-17 14:56:21 135168 ----a-w- c:\program files\pageant.exe
2007-05-17 14:56:16 282624 ----a-w- c:\program files\plink.exe
2007-05-17 14:56:11 307200 ----a-w- c:\program files\psftp.exe
2007-05-17 14:56:06 294912 ----a-w- c:\program files\pscp.exe
2007-05-17 14:56:01 294912 ----a-w- c:\program files\puttytel.exe
2007-05-17 14:55:26 454656 ----a-w- c:\program files\putty.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3750330AS rev.SD15 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B349555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b34f7b0]; MOV EAX, [0x8b34f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B3B1AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000081[0x8B3BBF18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B366D98]
\Driver\atapi[0x8B362610] -> IRP_MJ_CREATE -> 0x8B349555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3750330AS_____________________________SD15____#5&288f8644&0&0 .0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B34939B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 11:00:17,65 ===============



Thanks for your help!

dmonfette is offline  
Old 23rd December 2010   #2
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================================

I still need Attach.txt part of DDS.

For starters, you're infected with a rootkit.

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

broni is offline  
Old 23rd December 2010   #3
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

Thanks Broni!

Here is the attach.txt file from DDS:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professionnel
Boot Device: \Device\HarddiskVolume1
Install Date: 1/14/2008 4:48:13 PM
System Uptime: 12/23/2010 10:46:25 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 0A58h
Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | XU1 PROCESSOR | 2659/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 67 GiB total, 26.218 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 6.228 GiB free.
E: is FIXED (NTFS) - 331 GiB total, 147.444 GiB free.
R: is CDROM ()
S: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&696F438&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&696F438&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&696F438&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&696F438&0
Service: i8042prt

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA

==== System Restore Points ===================

RP407: 12/22/2010 11:18:56 PM - Installed Windows XP KB968537.
RP408: 12/22/2010 11:19:32 PM - Installed Windows XP KB969059.
RP409: 12/22/2010 11:20:09 PM - Installed Windows XP KB969897.
RP410: 12/22/2010 11:20:47 PM - Installed Windows XP KB969947.
RP411: 12/22/2010 11:21:22 PM - Installed Windows XP KB970238.
RP412: 12/22/2010 11:22:01 PM - Installed Windows XP KB970430.
RP413: 12/22/2010 11:22:38 PM - Installed Windows XP KB971468.
RP414: 12/22/2010 11:23:16 PM - Installed Windows XP KB971486.
RP415: 12/22/2010 11:23:52 PM - Installed Windows XP KB971557.
RP416: 12/22/2010 11:24:29 PM - Installed Windows XP KB971633.
RP417: 12/22/2010 11:25:04 PM - Installed Windows XP KB971657.
RP418: 12/22/2010 11:26:35 PM - Installed Windows XP KB971737.
RP419: 12/22/2010 11:27:11 PM - Installed Windows XP KB972260.
RP420: 12/22/2010 11:27:55 PM - Installed Windows XP KB972270.
RP421: 12/22/2010 11:28:33 PM - Installed Windows XP KB973354.
RP422: 12/22/2010 11:29:10 PM - Installed Windows XP KB973507.
RP423: 12/22/2010 11:29:47 PM - Installed Windows XP KB973687.
RP424: 12/22/2010 11:30:23 PM - Installed Windows XP KB973815.
RP425: 12/22/2010 11:31:01 PM - Installed Windows XP KB973869.
RP426: 12/22/2010 11:31:38 PM - Installed Windows XP KB974112.
RP427: 12/22/2010 11:32:14 PM - Installed Windows XP KB974318.
RP428: 12/22/2010 11:33:00 PM - Installed Windows XP KB974392.
RP429: 12/22/2010 11:33:38 PM - Installed Windows XP KB974455.
RP430: 12/22/2010 11:34:16 PM - Installed Windows XP KB974571.
RP431: 12/22/2010 11:34:52 PM - Installed Windows XP KB975025.
RP432: 12/22/2010 11:35:29 PM - Installed Windows XP KB975467.
RP433: 12/22/2010 11:36:10 PM - Installed Windows XP KB975560.
RP434: 12/22/2010 11:36:47 PM - Installed Windows XP KB975561.
RP435: 12/22/2010 11:37:27 PM - Installed Windows XP KB975562.
RP436: 12/22/2010 11:38:05 PM - Installed Windows XP KB976325.
RP437: 12/22/2010 11:38:43 PM - Installed Windows XP KB976749.
RP438: 12/22/2010 11:39:22 PM - Installed Windows XP KB977165.
RP439: 12/22/2010 11:40:03 PM - Installed Windows XP KB977914.
RP440: 12/22/2010 11:40:41 PM - Installed Windows XP KB978037.
RP441: 12/22/2010 11:41:19 PM - Installed Windows XP KB978207.
RP442: 12/22/2010 11:41:57 PM - Installed Windows XP KB978251.
RP443: 12/22/2010 11:42:35 PM - Installed Windows XP KB978338.
RP444: 12/22/2010 11:43:12 PM - Installed Windows XP KB978542.
RP445: 12/22/2010 11:43:50 PM - Installed Windows XP KB978601.
RP446: 12/22/2010 11:44:28 PM - Installed Windows XP KB978706.
RP447: 12/22/2010 11:45:04 PM - Installed Windows XP KB979309.
RP448: 12/22/2010 11:45:42 PM - Installed Windows XP KB979482.
RP449: 12/22/2010 11:46:18 PM - Installed Windows XP KB979559.
RP450: 12/22/2010 11:46:56 PM - Installed Windows XP KB979683.
RP451: 12/22/2010 11:47:35 PM - Installed Windows XP KB980182.
RP452: 12/22/2010 11:48:13 PM - Installed Windows XP KB980218.
RP453: 12/22/2010 11:48:50 PM - Installed Windows XP KB980232.
RP454: 12/22/2010 11:49:25 PM - Installed Windows XP KB982381.

==== Installed Programs ======================


7-Zip 4.65
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Advanced IP Address Calculator v1.1
Advanced IP Scanner v1.5
Advanced LAN Scanner v1.0 BETA 1
Advanced Port Scanner v1.3
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI Problem Report Wizard
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
AXIS Media Control Embedded
Brother's Keeper 6.2
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Camtasia Studio 3
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Cisco Network Assistant
Cisco Systems VPN Client 4.8.01.0300
ClearType Tuning Control Panel Applet
Corel Applications
CutePDF Writer 2.2
DicomWorks 1.3.5b
DVD Shrink 3.2
DVR Web Viewer for IE (remove only)
Family Tree SuperTools
FortiClient SSL VPN v4.0.2010
Garmin Trip and Waypoint Manager v5
Google Toolbar for Internet Explorer
Google Update Helper
Google*Earth
GPSU version 4.15
Hawke BRC 1.0.5
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Backup and Recovery Manager
HP BIOS Configuration for ProtectTools 2.00 J2
HP Credential Manager for ProtectTools
HP Embedded Security for ProtectTools
HP Help and Support
HP PrecisionScan LTX
HP ProtectTools Security Manager 2.00 D3
HP USB Disk Storage Format Tool
HpSdpAppCoreApp
ImpôtRapide 2008
ImpôtRapide 2009
Index Dat Spy 2.1.0
Intel(R) Management Engine Interface
Intel(R) PRO Network Connections
InterVideo FilterSDK for Panasonic
InterVideo Register Manager
InterVideo WinDVD
iReport nb-3.5.1
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) 6 Update 7
JM Integrated Remote Station
KeePass Password Safe 1.15
LightScribe Applications
LightScribe System Software 1.14.25.1
LightScribe Template Designs - Art Pack 1
LightScribe Template Designs - Business Pack 1
LightScribe Template Designs - Fantasy Pack 1
LightScribe Template Designs - Holiday Pack 1
LightScribe Template Designs - Special Occasion Pack 1
LightScribe Template Designs - Sports Pack 1
LightScribe Template Designs - Tattoo Pack 1
LightScribe Template Designs - Urban Pack 1
LightScribe Template Designs - Wedding Pack 1
LightScribeTemplateLabeler
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Look@LAN 2.50 Build 35
Malwarebytes' Anti-Malware
MapSource
MapSource - Topo Canada v2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Corporation
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft LifeCam
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
MotionSD STUDIO 1.3E
MovieEdit Task
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (2.0.0.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Netscape Communicator 4.78
NTI Backup Now EZ
OpenOffice.org 3.2
OpenVPN 2.0
Palm SDK
PDFill PDF Editor with FREE Writer and FREE Tools
PhotoStitch
QuickTime
Radmin Server 3.0
Radmin Viewer 3.0
RAW Image Task 1.2
Realtek High Definition Audio Driver
RemoteAgent64 v7.2
RemoteCapture Task 1.1
Roxio Audio Module
Roxio Copy Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Data Module
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Roxio MyDVD Plus
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB982381)
Skype Toolbars
Skype™ 5.0
Sonic Activation Module
Sun VirtualBox
Symantec pcAnywhere
TightVNC 1.3.9
Toktumi client
Trailgauge
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VBrick StreamPlayerPlus
Virtual Desktop Manager Powertoy for Windows XP
VLC media player 1.1.2
VRWriter4
WebFldrs XP
Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinPcap 4.0.2
WinSCP 3.7.4
WinZip
Wireshark 1.0.6
Xming 6.9.0.31

==== Event Viewer Messages From Past Week ========

12/23/2010 12:28:38 AM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
12/23/2010 10:49:34 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt iaStor
12/23/2010 10:49:34 AM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
12/23/2010 10:46:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The VNC Server service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Trusted Platform Core Service service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Security Platform Management Service service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Personal Secure Drive Service service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Palm Novacom service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The MSCamSvc service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The hpqwmiex service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The FortiClient SSL VPN service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The exim service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
12/22/2010 5:54:43 PM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
12/22/2010 2:42:50 AM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
12/22/2010 10:36:44 PM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
12/22/2010 10:34:35 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'exim-daemon.pid' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
12/22/2010 10:20:49 PM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
12/22/2010 10:16:44 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/22/2010 10:16:37 PM, error: Service Control Manager [7034] - The IviRegMgr service terminated unexpectedly. It has done this 1 time(s).
12/21/2010 9:24:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/21/2010 9:24:12 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 avgio avipbb awlegacy AW_HOST Fips i8042prt intelppm ssmdrv VBoxDrv VBoxUSBMon
12/20/2010 7:43:03 AM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
12/20/2010 5:11:11 AM, error: DCOM [10005] - DCOM a reçu l'erreur "%1053" lors de la mise en route du service winmgmt avec les arguments "" pour démarrer le serveur*: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/20/2010 5:01:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/20/2010 12:49:35 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
12/20/2010 12:49:35 AM, error: Service Control Manager [7022] - The MSCamSvc service hung on starting.
12/20/2010 12:48:13 AM, error: Service Control Manager [7000] - The Radmin Server V3 service failed to start due to the following error: The system cannot find the file specified.
12/19/2010 8:08:07 PM, error: Service Control Manager [7034] - The NTI BackupNowEZSvr service terminated unexpectedly. It has done this 1 time(s).
12/19/2010 5:23:14 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Une opération a été tentée sur un hôte impossible à atteindre. (0x80072751)
12/19/2010 5:23:14 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Une opération a été tentée sur un hôte impossible à atteindre. (0x80072751)
12/19/2010 5:16:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/19/2010 5:16:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service IFXSpMgtSrv with arguments "-Service" in order to run the server: {FBCD9C6A-72CB-47BB-99DD-2317551491DE}
12/19/2010 3:01:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service IFXSpMgtSrv with arguments "-Service" in order to run the server: {FBCD9C66-72CB-47BB-99DD-2317551491DE}
12/19/2010 2:52:25 PM, error: Service Control Manager [7000] - The Radmin Server V3 service failed to start due to the following error: Access is denied.

==== End Of File ===========================


I will post the results from TDSSKiller later;

Thanks;
Danny

dmonfette is offline  
Old 23rd December 2010   #4
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

... and the results from TDSSKiller:

2010/12/23 18:16:13.0421 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/23 18:16:13.0421 =========================================================================== =====
2010/12/23 18:16:13.0421 SystemInfo:
2010/12/23 18:16:13.0421
2010/12/23 18:16:13.0421 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/23 18:16:13.0421 Product type: Workstation
2010/12/23 18:16:13.0421 ComputerName: DAN
2010/12/23 18:16:13.0421 UserName: Administrator
2010/12/23 18:16:13.0421 Windows directory: C:\WINDOWS
2010/12/23 18:16:13.0421 System windows directory: C:\WINDOWS
2010/12/23 18:16:13.0421 Processor architecture: Intel x86
2010/12/23 18:16:13.0421 Number of processors: 2
2010/12/23 18:16:13.0421 Page size: 0x1000
2010/12/23 18:16:13.0421 Boot type: Normal boot
2010/12/23 18:16:13.0421 =========================================================================== =====
2010/12/23 18:16:13.0859 Initialize success
2010/12/23 18:16:28.0312 =========================================================================== =====
2010/12/23 18:16:28.0312 Scan started
2010/12/23 18:16:28.0312 Mode: Manual;
2010/12/23 18:16:28.0312 =========================================================================== =====
2010/12/23 18:16:30.0125 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/12/23 18:16:30.0187 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/23 18:16:30.0375 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/23 18:16:30.0468 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/23 18:16:30.0578 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2010/12/23 18:16:30.0781 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/23 18:16:30.0906 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/23 18:16:31.0015 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/23 18:16:31.0062 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/23 18:16:31.0265 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
2010/12/23 18:16:31.0312 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/23 18:16:31.0359 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/23 18:16:31.0468 ati2mtag (92e6e84d152d2acc44936c1c89ff26c4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/23 18:16:31.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/23 18:16:31.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/23 18:16:31.0656 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/23 18:16:31.0703 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/12/23 18:16:31.0781 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/12/23 18:16:31.0828 awecho (7305e36433ae7ce4a878ccc900bcf2a8) C:\WINDOWS\system32\drivers\awechomd.sys
2010/12/23 18:16:31.0875 awlegacy (1464f3daf223e7a204baf1b556ee7769) C:\WINDOWS\System32\Drivers\awlegacy.sys
2010/12/23 18:16:31.0921 AW_HOST (71c32536b50136e9e439306a2e9296e2) C:\WINDOWS\system32\drivers\aw_host5.sys
2010/12/23 18:16:31.0968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/23 18:16:32.0015 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/23 18:16:32.0062 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/23 18:16:32.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/23 18:16:32.0187 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/23 18:16:32.0234 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2010/12/23 18:16:32.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/23 18:16:32.0484 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/12/23 18:16:32.0515 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2010/12/23 18:16:32.0671 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/23 18:16:32.0734 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
2010/12/23 18:16:32.0812 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/12/23 18:16:32.0875 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/12/23 18:16:32.0906 DLADResM (4d1b9bdaab7a4e3643b79d805b79d33e) C:\WINDOWS\system32\DLA\DLADResM.SYS
2010/12/23 18:16:32.0953 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/12/23 18:16:33.0000 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/12/23 18:16:33.0031 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/12/23 18:16:33.0062 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2010/12/23 18:16:33.0093 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/12/23 18:16:33.0125 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/12/23 18:16:33.0203 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/23 18:16:33.0281 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/23 18:16:33.0359 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/23 18:16:33.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/23 18:16:33.0437 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/12/23 18:16:33.0484 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/23 18:16:33.0515 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/23 18:16:33.0546 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/12/23 18:16:33.0625 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/12/23 18:16:33.0656 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/23 18:16:33.0734 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/12/23 18:16:33.0906 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/23 18:16:33.0953 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/23 18:16:34.0000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/23 18:16:34.0031 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/23 18:16:34.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/23 18:16:34.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/23 18:16:34.0203 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/23 18:16:34.0328 Gernuwa (fd25177ced6751c14de170d8282ced90) C:\WINDOWS\system32\drivers\Gernuwa.sys
2010/12/23 18:16:34.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/23 18:16:34.0437 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
2010/12/23 18:16:34.0484 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/23 18:16:34.0546 HECI (d0fc694df051bc65946db616f20d1168) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/12/23 18:16:34.0640 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/23 18:16:34.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/23 18:16:34.0906 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/23 18:16:34.0968 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/12/23 18:16:35.0046 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/12/23 18:16:35.0109 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/12/23 18:16:35.0140 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/12/23 18:16:35.0171 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/12/23 18:16:35.0218 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/12/23 18:16:35.0250 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2010/12/23 18:16:35.0312 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2010/12/23 18:16:35.0375 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2010/12/23 18:16:35.0421 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/12/23 18:16:35.0453 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/12/23 18:16:35.0500 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/12/23 18:16:35.0578 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/12/23 18:16:35.0640 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2010/12/23 18:16:35.0687 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2010/12/23 18:16:35.0734 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/12/23 18:16:35.0812 IFXTPM (f67554da27d5b55efcb6c7cb4818fbfd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2010/12/23 18:16:35.0875 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/23 18:16:36.0109 IntcAzAudAddService (06b0e8d608ab69643b14a1f95f7feab3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/23 18:16:36.0156 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/23 18:16:36.0203 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/23 18:16:36.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/23 18:16:36.0281 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/23 18:16:36.0312 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/23 18:16:36.0375 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/23 18:16:36.0406 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/23 18:16:36.0453 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/23 18:16:36.0484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/23 18:16:36.0531 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/23 18:16:36.0562 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/23 18:16:36.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/23 18:16:36.0781 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/23 18:16:36.0984 mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys
2010/12/23 18:16:37.0046 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/23 18:16:37.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/23 18:16:37.0140 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/23 18:16:37.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/23 18:16:37.0234 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/23 18:16:37.0359 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/23 18:16:37.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/23 18:16:37.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/23 18:16:37.0500 MSHUSBVideo (5119ffc2a6b51089cdb0efdc75808c97) C:\WINDOWS\system32\Drivers\nx6000.sys
2010/12/23 18:16:37.0531 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/23 18:16:37.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/23 18:16:37.0593 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/23 18:16:37.0640 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/23 18:16:37.0671 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/23 18:16:37.0718 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/23 18:16:37.0781 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/23 18:16:37.0843 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
2010/12/23 18:16:37.0906 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/23 18:16:37.0953 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/23 18:16:38.0000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/23 18:16:38.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/23 18:16:38.0156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/23 18:16:38.0187 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/23 18:16:38.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/23 18:16:38.0281 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/23 18:16:38.0343 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/12/23 18:16:38.0406 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
2010/12/23 18:16:38.0453 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/23 18:16:38.0500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/23 18:16:38.0593 NTIDrvr (8055859b87ac3e504ece0c1e9353cc4e) C:\WINDOWS\system32\drivers\NTIDrvr.sys
2010/12/23 18:16:38.0640 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/23 18:16:38.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/23 18:16:38.0703 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/23 18:16:38.0734 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/23 18:16:38.0843 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/23 18:16:38.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/23 18:16:38.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/23 18:16:38.0984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/23 18:16:39.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/23 18:16:39.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/23 18:16:39.0531 PersonalSecureDrive (9abf51856b69b6a343988bc7d74840c4) C:\WINDOWS\System32\drivers\psd.sys
2010/12/23 18:16:39.0609 pppop (80ae9714ff0c140d6471911fe334198a) C:\WINDOWS\system32\DRIVERS\pppop.sys
2010/12/23 18:16:39.0703 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/23 18:16:39.0828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/23 18:16:39.0953 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/23 18:16:40.0046 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/23 18:16:40.0296 raddrvv3 (bfadb3f81e4e8ab07bca46f2882989da) C:\WINDOWS\system32\rserver30\raddrvv3.sys
2010/12/23 18:16:40.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/23 18:16:40.0421 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/23 18:16:40.0484 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/23 18:16:40.0531 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/23 18:16:40.0625 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/23 18:16:40.0671 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/23 18:16:40.0734 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/23 18:16:40.0890 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/23 18:16:40.0937 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/23 18:16:41.0000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/23 18:16:41.0031 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/23 18:16:41.0078 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/23 18:16:41.0109 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/23 18:16:41.0171 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/23 18:16:41.0234 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/23 18:16:41.0281 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/23 18:16:41.0328 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/23 18:16:41.0390 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/12/23 18:16:41.0421 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/23 18:16:41.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/23 18:16:41.0484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/23 18:16:41.0515 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/23 18:16:41.0562 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/23 18:16:41.0703 SymEvent (7e3a39f208d93f7d443794db9aefbe44) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/23 18:16:41.0765 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2010/12/23 18:16:41.0812 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/23 18:16:41.0843 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/23 18:16:41.0890 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/23 18:16:41.0937 tap0801 (846b7c0e3f6370cdcce157a5b36e70cd) C:\WINDOWS\system32\DRIVERS\tap0801.sys
2010/12/23 18:16:41.0984 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/23 18:16:42.0031 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/23 18:16:42.0062 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/23 18:16:42.0093 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/23 18:16:42.0171 UBHelper (9e39dc3022e6d84bf974678011a1ea4c) C:\WINDOWS\system32\drivers\UBHelper.sys
2010/12/23 18:16:42.0218 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/23 18:16:42.0296 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/23 18:16:42.0328 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/23 18:16:42.0390 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/23 18:16:42.0421 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/23 18:16:42.0453 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/23 18:16:42.0484 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/23 18:16:42.0515 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/23 18:16:42.0546 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/23 18:16:42.0625 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/12/23 18:16:42.0671 VBoxDrv (60741ad74d5d599dc1ba7a00265a3606) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
2010/12/23 18:16:42.0703 VBoxNetAdp (3f753d64b3a3aba0690aeeb8e4f12460) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
2010/12/23 18:16:42.0828 VBoxNetFlt (32207ed4e4b335e5ec774d37127e837e) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
2010/12/23 18:16:42.0906 VBoxUSBMon (7d0c8fc5a5917af4f091d0f4e83a7cec) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
2010/12/23 18:16:42.0953 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/23 18:16:42.0984 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/23 18:16:43.0031 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/23 18:16:43.0078 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2010/12/23 18:16:43.0187 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/23 18:16:43.0234 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/12/23 18:16:43.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/23 18:16:43.0390 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2010/12/23 18:16:43.0421 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/23 18:16:43.0468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/23 18:16:43.0515 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/23 18:16:43.0546 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/23 18:16:43.0593 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/23 18:16:43.0593 =========================================================================== =====
2010/12/23 18:16:43.0593 Scan finished
2010/12/23 18:16:43.0593 =========================================================================== =====
2010/12/23 18:16:43.0609 Detected object count: 1
2010/12/23 18:16:56.0421 \HardDisk0 - will be cured after reboot
2010/12/23 18:16:56.0421 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/23 18:17:10.0734 Deinitialize success

dmonfette is offline  
Old 23rd December 2010   #5
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Good job

Download Bootkit Remover to your Desktop.
  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

broni is offline  
Old 23rd December 2010   #6
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

Here is the result:
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: a47b8690aaee9b3d17289c10971c153a

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

dmonfette is offline  
Old 24th December 2010   #7
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
We need to fix your MBR...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)
  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run MBRCheck again and post its log.

broni is offline  
Old 24th December 2010   #8
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

Here is the result: (Looks good to me!)

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0006001c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`a0f85600 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000012`a14c0000 (NTFS)

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...

dmonfette is offline  
Old 24th December 2010   #9
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Yes

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

broni is offline  
Old 24th December 2010   #10
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

Thanks again broni!

Here is the CombiFix result:

ComboFix 10-12-24.01 - Administrator 2010-12-24 13:42:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3583.2840 [GMT -5:00]
Lancé depuis: c:\documents and settings\Administrator\Desktop\malware\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}
c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\chrome.manifest
c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\chrome\content\_cfg.js
c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\chrome\content\overlay.xul
c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\install.rdf
c:\windows\AUTOLNCH.REG
c:\windows\system32\Oeminfo.ini
c:\windows\winhelp.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((((((( Fichiers créés du 2010-11-24 au 2010-12-24 ))))))))))))))))))))))))))))))))))))
.

2010-12-23 03:45 . 2008-04-14 10:41 33792 ------w- c:\windows\system32\dllcache\custsat.dll
2010-12-23 03:26 . 2010-12-23 03:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Roxio
2010-12-23 03:26 . 2010-12-23 03:26 -------- d-----w- c:\program files\autorun
2010-12-23 03:13 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-12-20 12:30 . 2010-12-23 03:21 0 ----a-w- c:\windows\Ibilodobuvog.bin
2010-12-20 08:57 . 2010-12-20 08:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-12-20 05:30 . 2010-12-20 08:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-20 05:06 . 2010-12-20 05:06 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-12-20 01:06 . 2010-12-20 01:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 22:49 . 2009-03-05 22:48 224256 ----a-w- c:\program files\fentun.exe
2008-08-06 21:27 . 2008-09-22 01:23 3520552 ----a-w- c:\program files\procexp.exe
2007-05-17 14:56 . 2008-02-01 22:42 172032 ----a-w- c:\program files\puttygen.exe
2007-05-17 14:56 . 2008-02-01 22:42 135168 ----a-w- c:\program files\pageant.exe
2007-05-17 14:56 . 2008-02-01 22:42 282624 ----a-w- c:\program files\plink.exe
2007-05-17 14:56 . 2008-02-01 22:42 307200 ----a-w- c:\program files\psftp.exe
2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\pscp.exe
2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\puttytel.exe
2007-05-17 14:55 . 2008-02-01 22:42 454656 ----a-w- c:\program files\putty.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-05-24 344064]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"EventServer"="c:\program files\RemoteAgent64\Bin\EventServer.exe" [2006-11-14 151552]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 16871936]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-17 281768]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-05-08 552192]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MotionSD STUDIO - Auto-activation Navigateur SD -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2008-9-21 66952]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-1-20 6144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
EventLogger.lnk - c:\program files\JM Integrated Remote Station\cms\EventLogger.exe [2010-8-17 540672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-07 04:00 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 19:26 40448 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-05 15:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=
"c:\\Program Files\\RemoteAgent64\\Bin\\EventServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"e:\\Program Files\\Sun\\VirtualBox\\VirtualBox.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Toktumi\\Toktumi.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\JM Integrated Remote Station\\cms\\EventLogger.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"4899:TCP"= 4899:TCP:Remote_Admin

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/6/2006 11:46 PM 31104]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/15/2009 5:46 PM 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/15/2009 5:46 PM 41680]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 6:48 PM 135336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 9:00 PM 14336]
R2 exim;Exim;e:\cygwin\bin\cygrunsrv.exe [12/19/2008 8:17 PM 68096]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2/6/2009 9:39 AM 518688]
R2 NovacomD;Palm Novacom;c:\program files\Palm\SDK\bin\novacom\x86\novacomd.exe [8/3/2009 9:13 PM 31232]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [5/8/2009 5:20 PM 45312]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/11/2007 8:26 PM 36608]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [3/19/2010 3:26 PM 30576]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2/3/2009 10:43 AM 36384]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [7/31/2004 4:50 PM 23552]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [9/15/2009 5:46 PM 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2/12/2010 8:34 PM 110096]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 6:32 PM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S4 RServer3;Radmin Server V3;"c:\windows\system32\rserver30\RServer3.exe" /service --> c:\windows\system32\rserver30\RServer3.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-08-22 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.hp.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\ImpotRapide 2008\ic2008pp.dll
Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - c:\program files\ImpotRapide 2009\ic2009pp.dll
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.254.18.46:100/RemoteWeb.cab
DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} - hxxp://216.215.157.230/SpecoRemote.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.254.18.46:100/VideoViewer.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://192.168.200.100/dcsclictrl.cab
DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} - hxxp://demopc8p24.dss.com.tw:1700/WebCamX.cab
DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} - hxxp://www.dvrhost.com/control/viewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.30.165.22:8080/activex/AMC.cab
DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} - hxxp://www.bms2000.org/BMS2000_Access_Control.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xcprpuph.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-24 13:47
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00, 79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00, \
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(336)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'explorer.exe'(3368)
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\IFXSPMGT.exe
e:\cygwin\bin\exim-4.69-1.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\program files\TightVNC\WinVNC.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Heure de fin: 2010-12-24 13:49:12 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-12-24 18:49

Avant-CF: 27*672*326*144 bytes free
Après-CF: 27*589*345*280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F4783E8C1DE724E8F6A7495CE84C4357

dmonfette is offline  
Old 24th December 2010   #11
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\Ibilodobuvog.bin

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

broni is offline  
Old 25th December 2010   #12
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

Broni;

I disabled my Avira antivir guard, created the txt file, dragged it to the combofix.exe icon. Combofix started, updated itself and ran.

I was asked to reboot the computer, but no report... Should I run it again?
Thanks;
--
Danny

dmonfette is offline  
Old 25th December 2010   #13
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Yes, please.

broni is offline  
Old 26th December 2010   #14
Inactive
THREAD STARTER
 
Profile:
Join Date: Dec 2010
Posts: 19
Computer Experience:
Beginner
dmonfette Reputation Level

This time it ran:

ComboFix 10-12-25.02 - Administrator 2010-12-25 22:58:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3583.3021 [GMT -5:00]
Lancé depuis: c:\documents and settings\Administrator\Desktop\malware\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Administrator\Desktop\malware\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\Ibilodobuvog.bin"
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ibilodobuvog.bin

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-11-26 au 2010-12-26 ))))))))))))))))))))))))))))))))))))
.

2010-12-26 03:57 . 2010-12-26 03:57 -------- d-----w- c:\windows\LastGood
2010-12-23 03:45 . 2008-04-14 10:41 33792 ------w- c:\windows\system32\dllcache\custsat.dll
2010-12-23 03:26 . 2010-12-23 03:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Roxio
2010-12-23 03:26 . 2010-12-23 03:26 -------- d-----w- c:\program files\autorun
2010-12-23 03:13 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-12-20 08:57 . 2010-12-20 08:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-12-20 05:30 . 2010-12-20 08:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-20 05:06 . 2010-12-20 05:06 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-12-20 01:06 . 2010-12-20 01:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-25 21:20 . 2009-05-06 23:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-25 21:20 . 2009-05-06 23:48 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-05 05:05 . 2006-02-28 02:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2006-02-28 02:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2006-02-28 02:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2006-02-28 02:00 369664 ----a-w- c:\windows\system32\html.iec
2010-10-26 13:25 . 2006-02-28 02:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2009-03-05 22:49 . 2009-03-05 22:48 224256 ----a-w- c:\program files\fentun.exe
2008-08-06 21:27 . 2008-09-22 01:23 3520552 ----a-w- c:\program files\procexp.exe
2007-05-17 14:56 . 2008-02-01 22:42 172032 ----a-w- c:\program files\puttygen.exe
2007-05-17 14:56 . 2008-02-01 22:42 135168 ----a-w- c:\program files\pageant.exe
2007-05-17 14:56 . 2008-02-01 22:42 282624 ----a-w- c:\program files\plink.exe
2007-05-17 14:56 . 2008-02-01 22:42 307200 ----a-w- c:\program files\psftp.exe
2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\pscp.exe
2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\puttytel.exe
2007-05-17 14:55 . 2008-02-01 22:42 454656 ----a-w- c:\program files\putty.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-12-24_18.47.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-26 03:55 . 2010-12-26 03:55 16384 c:\windows\Temp\Perflib_Perfdata_fcc.dat
+ 2010-12-26 03:53 . 2010-12-26 03:53 16384 c:\windows\Temp\Perflib_Perfdata_d74.dat
+ 2010-12-26 03:58 . 2010-12-26 03:58 16384 c:\windows\Temp\Perflib_Perfdata_9f8.dat
+ 2007-05-12 01:34 . 2007-07-27 15:41 26488 c:\windows\system32\spupdsvc.exe
- 2007-05-12 01:34 . 2007-08-11 01:46 26488 c:\windows\system32\spupdsvc.exe
+ 2006-04-25 17:43 . 2010-12-26 03:57 71196 c:\windows\system32\perfc009.dat
- 2006-04-25 17:43 . 2010-12-24 14:54 71196 c:\windows\system32\perfc009.dat
+ 2006-02-28 02:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
- 2006-02-28 02:00 . 2008-04-14 10:41 80384 c:\windows\system32\iccvid.dll
+ 2010-12-24 04:16 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
- 2009-02-20 08:14 . 2010-04-16 16:09 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 08:14 . 2010-11-05 05:05 81920 c:\windows\system32\dllcache\ieencode.dll
- 2010-03-23 09:31 . 2010-03-23 09:31 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2010-09-22 14:43 . 2010-09-22 14:43 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2010-04-01 15:42 . 2010-04-01 15:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2010-03-31 18:51 . 2010-03-31 18:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-03-31 18:51 . 2010-03-31 18:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-03-31 18:51 . 2010-03-31 18:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2010-03-31 19:32 . 2010-03-31 19:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-09-23 08:17 . 2010-09-23 08:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-09-23 08:17 . 2010-09-23 08:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2010-03-31 19:32 . 2010-03-31 19:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000. 0__b03f5f7f11d50a3a_cbe58f0d\System.Drawing.Design.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b0 3f5f7f11d50a3a_1ca6bbf3\CustomMarshalers.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7 f11d50a3a\System.Web.RegularExpressions.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7 f11d50a3a\System.Web.RegularExpressions.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3 a\System.Drawing.Design.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3 a\System.Drawing.Design.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f 11d50a3a\System.Configuration.Install.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f 11d50a3a\System.Configuration.Install.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Micros oft.Vsa.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Micros oft.Vsa.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03 f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03 f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d 50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d 50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d 50a3a\Microsoft.Build.Utilities.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d 50a3a\Microsoft.Build.Utilities.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d 50a3a\Microsoft.Build.Framework.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d 50a3a\Microsoft.Build.Framework.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd. dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd. dll
- 2010-06-24 21:02 . 2010-06-24 21:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Access ibility.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Access ibility.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrappe r.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrappe r.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\Custo mMarshalers.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\Custo mMarshalers.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System .Security.dll
- 2010-06-10 12:32 . 2010-06-10 12:32 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System .Security.dll
+ 2010-12-25 21:20 . 2007-03-06 01:22 14048 c:\windows\$NtUninstallKB971961$\spmsg.dll
+ 2010-12-25 21:20 . 2007-03-06 01:22 22752 c:\windows\$NtUninstallKB971961$\spcustom.dll
+ 2009-09-14 23:30 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB971961\update\spcustom.dll
+ 2009-09-14 23:30 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB971961\spmsg.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-04-17 21:21 . 2010-08-13 12:53 5120 c:\windows\system32\xpsp4res.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Micr osoft_VsaVb.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Micr osoft_VsaVb.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Mi crosoft.VisualC.Dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Mi crosoft.VisualC.Dll
- 2010-06-24 21:02 . 2010-06-24 21:02 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecR emote.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecR emote.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2006-02-28 02:00 . 2008-04-14 10:42 233472 c:\windows\system32\wmpdxm.dll
+ 2006-02-28 02:00 . 2009-07-12 17:21 233472 c:\windows\system32\wmpdxm.dll
- 2006-02-28 02:00 . 2008-04-14 10:42 406016 c:\windows\system32\usp10.dll
+ 2006-02-28 02:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 629760 c:\windows\system32\urlmon.dll
+ 2006-02-28 02:00 . 2010-06-30 12:31 149504 c:\windows\system32\schannel.dll
+ 2006-02-28 02:00 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
+ 2006-04-25 17:43 . 2010-12-26 03:57 441260 c:\windows\system32\perfh009.dat
- 2006-04-25 17:43 . 2010-12-24 14:54 441260 c:\windows\system32\perfh009.dat
- 2006-02-28 02:00 . 2008-04-14 10:42 532480 c:\windows\system32\mstime.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 532480 c:\windows\system32\mstime.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 449024 c:\windows\system32\mshtmled.dll
- 2006-02-28 02:00 . 2008-04-14 10:42 449024 c:\windows\system32\mshtmled.dll
+ 2006-02-28 02:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
- 2006-02-28 02:00 . 2008-04-14 10:41 512000 c:\windows\system32\jscript.dll
+ 2006-02-28 02:00 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 251904 c:\windows\system32\iepeers.dll
- 2006-02-28 02:00 . 2010-04-16 16:09 251904 c:\windows\system32\iepeers.dll
- 2006-04-25 17:39 . 2010-12-23 05:17 254272 c:\windows\system32\FNTCACHE.DAT
+ 2006-04-25 17:39 . 2010-12-25 21:24 254272 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-13 06:18 . 2009-07-12 17:21 233472 c:\windows\system32\dllcache\wmpdxm.dll
- 2009-07-13 06:18 . 2008-04-14 10:42 233472 c:\windows\system32\dllcache\wmpdxm.dll
+ 2008-06-23 15:09 . 2010-11-05 05:05 667136 c:\windows\system32\dllcache\wininet.dll
- 2008-06-23 15:09 . 2010-04-16 16:09 667136 c:\windows\system32\dllcache\wininet.dll
+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2008-06-26 08:15 . 2010-11-05 05:05 629760 c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
+ 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2010-11-05 05:05 . 2010-11-05 05:05 532480 c:\windows\system32\dllcache\mstime.dll
+ 2010-11-05 05:05 . 2010-11-05 05:05 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2010-12-24 04:16 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
+ 2008-08-20 15:47 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2010-04-16 16:09 . 2010-04-16 16:09 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2010-04-16 16:09 . 2010-11-05 05:05 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2010-09-22 14:43 . 2010-09-22 14:43 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2010-03-23 09:31 . 2010-03-23 09:31 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2010-03-31 18:51 . 2010-03-31 18:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2010-03-31 18:49 . 2010-03-31 18:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-09-23 07:25 . 2010-09-23 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-09-23 08:17 . 2010-09-23 08:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2010-03-31 19:32 . 2010-03-31 19:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f 5f7f11d50a3a_98deb076\System.Drawing.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000. 0__b03f5f7f11d50a3a_b8b9aa85\System.Drawing.Design.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b0 3f5f7f11d50a3a_6b93433d\CustomMarshalers.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\ System.Web.Services.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\ System.Web.Services.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\Sy stem.Web.Mobile.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\Sy stem.Web.Mobile.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3 a\System.ServiceProcess.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3 a\System.ServiceProcess.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\Syst em.Security.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\Syst em.Security.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2 .0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2 .0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e 089\System.Runtime.Remoting.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e 089\System.Runtime.Remoting.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\Sys tem.Messaging.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\Sys tem.Messaging.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\Sy stem.Management.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\Sy stem.Management.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\Syste m.Drawing.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\Syste m.Drawing.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d5 0a3a\System.DirectoryServices.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d5 0a3a\System.DirectoryServices.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b0 3f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b0 3f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\Sy stem.Deployment.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\Sy stem.Deployment.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\S ystem.Data.SqlXml.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\S ystem.Data.SqlXml.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a \System.configuration.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a \System.configuration.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dl l
+ 2010-12-26 03:57 . 2010-12-26 03:57 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dl l
+ 2010-12-26 03:56 . 2010-12-26 03:56 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3 a\Microsoft.VisualBasic.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3 a\Microsoft.VisualBasic.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b 03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b 03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0 .0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0 .0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Mi crosoft.JScript.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Mi crosoft.JScript.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3 a\Microsoft.Build.Tasks.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3 a\Microsoft.Build.Tasks.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a 3a\Microsoft.Build.Engine.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a 3a\Microsoft.Build.Engine.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetM MCExt.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetM MCExt.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\Sy stem.Transactions.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\Sy stem.Transactions.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50 a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50 a3a\System.EnterpriseServices.Wrapper.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50 a3a\System.EnterpriseServices.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50 a3a\System.EnterpriseServices.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e0 89\System.Data.OracleClient.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e0 89\System.Data.OracleClient.dll
+ 2010-12-25 21:20 . 2007-03-06 01:23 371424 c:\windows\$NtUninstallKB971961$\updspapi.dll
+ 2010-12-25 21:20 . 2007-03-06 01:22 716000 c:\windows\$NtUninstallKB971961$\update.exe
+ 2009-09-14 23:30 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB971961$\spuninst\updspapi.dll
+ 2009-09-14 23:30 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB971961$\spuninst\spuninst.exe
+ 2010-12-25 21:20 . 2007-03-06 01:22 213216 c:\windows\$NtUninstallKB971961$\spuninst.exe
+ 2009-09-14 23:30 . 2008-04-14 10:41 512000 c:\windows\$NtUninstallKB971961$\jscript.dll
+ 2009-09-14 23:30 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB971961\update\updspapi.dll
+ 2009-09-14 23:30 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB971961\update\update.exe
+ 2009-09-14 23:30 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB971961\spuninst.exe
+ 2010-12-24 04:16 . 2009-08-13 15:02 512000 c:\windows\$hf_mig$\KB971961\SP3QFE\jscript.dll
+ 2006-02-28 02:00 . 2009-07-12 17:21 4874240 c:\windows\system32\wmp.dll
- 2006-02-28 02:00 . 2008-04-14 10:42 4874240 c:\windows\system32\wmp.dll
+ 2006-02-28 02:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 1510400 c:\windows\system32\shdocvw.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 3076096 c:\windows\system32\mshtml.dll
+ 2009-07-13 06:18 . 2009-07-12 17:21 4874240 c:\windows\system32\dllcache\wmp.dll
- 2009-07-13 06:18 . 2008-04-14 10:42 4874240 c:\windows\system32\dllcache\wmp.dll
+ 2008-10-15 23:23 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-06-26 08:15 . 2010-11-05 05:05 1510400 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-06-23 15:09 . 2010-11-05 05:05 3076096 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-11 20:42 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-03-11 20:42 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-04-16 16:09 . 2010-11-05 05:05 1025024 c:\windows\system32\dllcache\browseui.dll
- 2010-04-16 16:09 . 2010-04-16 16:09 1025024 c:\windows\system32\dllcache\browseui.dll
- 2006-02-28 02:00 . 2010-04-16 16:09 1025024 c:\windows\system32\browseui.dll
+ 2006-02-28 02:00 . 2010-11-05 05:05 1025024 c:\windows\system32\browseui.dll
- 2010-03-23 09:32 . 2010-03-23 09:32 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-09-22 14:44 . 2010-09-22 14:44 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
- 2010-04-01 15:42 . 2010-04-01 15:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-04-01 15:42 . 2010-04-01 15:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2010-03-31 18:50 . 2010-03-31 18:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-09-23 07:25 . 2010-09-23 07:25 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2010-04-01 15:42 . 2010-04-01 15:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-09-23 12:40 . 2010-09-23 12:40 2607104 c:\windows\Installer\4de7f.msp
+ 2010-09-23 12:39 . 2010-09-23 12:39 4265472 c:\windows\Installer\4de7e.msp
+ 2010-09-23 12:39 . 2010-09-23 12:39 4265472 c:\windows\Installer\35b08.msp
+ 2010-12-25 21:21 . 2010-12-25 21:21 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934 e089_f97b166c\System.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934 e089_1058d0c9\System.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c56 1934e089_8ef93dbb\System.Xml.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c56 1934e089_366e4a1e\System.Xml.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0 __b77a5c561934e089_e7e68329\System.Windows.Forms.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0 __b77a5c561934e089_062bc2d3\System.Windows.Forms.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f 5f7f11d50a3a_be742de6\System.Drawing.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5 f7f11d50a3a_c9c0c50f\System.Design.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5 f7f11d50a3a_9c35d7c8\System.Design.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c5619 34e089_e033505b\mscorlib.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c5619 34e089_32279eec\mscorlib.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XM L.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XM L.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089 \System.Windows.Forms.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089 \System.Windows.Forms.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System .Design.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System .Design.dll
+ 2010-12-26 03:56 . 2010-12-26 03:56 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web. dll
- 2010-06-24 21:02 . 2010-06-24 21:02 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web. dll
- 2010-06-24 21:02 . 2010-06-24 21:02 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Dat a.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Dat a.dll
+ 2010-12-26 03:57 . 2010-12-26 03:57 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2010-06-24 21:02 . 2010-06-24 21:02 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2010-06-10 12:32 . 2010-06-10 12:32 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2010-06-10 12:32 . 2010-06-10 12:32 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web. dll
+ 2010-12-25 21:21 . 2010-12-25 21:21 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web. dll
+ 2010-09-24 19:08 . 2010-09-24 19:08 11430400 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2416447\M2416447Unins tall.msp
+ 2010-09-24 12:08 . 2010-09-24 12:08 17518080 c:\windows\Installer\4de7d.msp
+ 2010-12-26 03:58 . 2010-12-26 03:58 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\28d23e870e26d7 284dbf506a5a19402a\System.Design.ni.dll
.
-- Instantané actualisé --
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-05-24 344064]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"EventServer"="c:\program files\RemoteAgent64\Bin\EventServer.exe" [2006-11-14 151552]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 16871936]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-17 281768]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-05-08 552192]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MotionSD STUDIO - Auto-activation Navigateur SD -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2008-9-21 66952]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-1-20 6144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
EventLogger.lnk - c:\program files\JM Integrated Remote Station\cms\EventLogger.exe [2010-8-17 540672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-07 04:00 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 19:26 40448 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-05 15:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=
"c:\\Program Files\\RemoteAgent64\\Bin\\EventServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"e:\\Program Files\\Sun\\VirtualBox\\VirtualBox.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Toktumi\\Toktumi.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\JM Integrated Remote Station\\cms\\EventLogger.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"4899:TCP"= 4899:TCP:Remote_Admin

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/6/2006 11:46 PM 31104]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/15/2009 5:46 PM 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/15/2009 5:46 PM 41680]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 6:48 PM 135336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 9:00 PM 14336]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2/6/2009 9:39 AM 518688]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [5/8/2009 5:20 PM 45312]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/11/2007 8:26 PM 36608]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [3/19/2010 3:26 PM 30576]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2/3/2009 10:43 AM 36384]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [7/31/2004 4:50 PM 23552]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [9/15/2009 5:46 PM 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2/12/2010 8:34 PM 110096]
S2 exim;Exim;e:\cygwin\bin\cygrunsrv.exe [12/19/2008 8:17 PM 68096]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 6:32 PM 133104]
S2 NovacomD;Palm Novacom;c:\program files\Palm\SDK\bin\novacom\x86\novacomd.exe [8/3/2009 9:13 PM 31232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S4 RServer3;Radmin Server V3;"c:\windows\system32\rserver30\RServer3.exe" /service --> c:\windows\system32\rserver30\RServer3.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-08-22 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]

2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.hp.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\ImpotRapide 2008\ic2008pp.dll
Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - c:\program files\ImpotRapide 2009\ic2009pp.dll
DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.254.18.46:100/RemoteWeb.cab
DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} - hxxp://216.215.157.230/SpecoRemote.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.254.18.46:100/VideoViewer.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://192.168.200.100/dcsclictrl.cab
DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} - hxxp://demopc8p24.dss.com.tw:1700/WebCamX.cab
DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} - hxxp://www.dvrhost.com/control/viewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.30.165.22:8080/activex/AMC.cab
DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} - hxxp://www.bms2000.org/BMS2000_Access_Control.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xcprpuph.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-25 23:01
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00, 79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00, \
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(332)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll
.
Heure de fin: 2010-12-25 23:02:35
ComboFix-quarantined-files.txt 2010-12-26 04:02
ComboFix2.txt 2010-12-24 18:49

Avant-CF: 27*678*220*288 bytes free
Après-CF: 27*695*640*576 bytes free

- - End Of File - - EE42EE9DDF6E5C1A33A97319CF8750D0

dmonfette is offline  
Old 26th December 2010   #15
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,793
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Good

How is computer doing?

Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

broni is offline  


 

THIS THREAD HAS EXPIRED.

Are you having the same problem? Please post a new thread, but first you'll have to join us by Registering (FREE).



Discussion Forums
Operating Systems
Windows 8 Windows 8
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Legacy Windows OS Legacy Windows OS
Internet & Networking
Networking (Hardware & Software) Networking
Internet Explorer Internet Explorer
Microsoft Mail Microsoft Mail
Firefox, Thunderbird & SeaMonkey Firefox, Thunderbird
      & SeaMonkey

Web Applications & Cloud Web Applications & Cloud
General Internet
Security
Malware and Virus Removal Malware and Virus
     Removal

Security and Privacy Security and Privacy

Other
Other PC Software Other PC Software
Test Posts Test Posts
Hardware
PC Hardware PC Hardware
Mobile Devices Mobile Devices
Community
Introductions Introductions
General Discussions General Discussions
Site Comments & Suggestions Site Comments
      & Suggestions

News News @ WindowsBBS

Thread Tools


Find us on Facebook   Web Of Trust Rating

All times are GMT. The time now is 14:46.


Recent Discussions
Google Chrome !Aw SNAP! etc. (2)
'Open with' doesn't work (0)
I'm the only Administrator and can'.. (2)
Touchpad Locked (1)
Use msconfig to edit the boot.ini o.. (6)
Monitor for line activity on a WiFi.. (6)
Need Help adding a Win7 machine to .. (12)
Sound goes AWOL (9)
How can I change Folder default to .. (7)
Zone alarm or comodo blocking inter.. (17)
The 'other' Windows blue screen (wi.. (0)
Delete INFCACHE failes to restart S.. (15)
How to make a clone primary partiti.. (19)
Insert Link Not Working in Thunderb.. (15)
altering the OS (3)
Start Up Slow? (2)
Sharing a printer using WiFi (4)
Firefox and Thunderbird Version 31... (11)
Hub Manager (9)
Outlook Express doesn't work with b.. (3)


Donate!
Support Windows BBS!



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright © 2002 - 2013 WindowsBBS.com. All rights reserved.
FDMA Media LLC
Terms of Use, Legal Information & Privacy Policy
Page generated in 1.22160 seconds with 7 queries