1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved iexplore.exe problem! (Black Internet rootkit case)

Discussion in 'Malware and Virus Removal Archive' started by juturna, 2010/06/24.

Page 4 of 4
  1. 2010/06/26
    juturna

    juturna Inactive Thread Starter

    Joined:
    2010/06/21
    Messages:
    38
    Likes Received:
    0
    Wow, I just checked through Process Explorer and iexplore.exe(s) no longer seem to be running! Will await further instructions. =D
     
    juturna,
    #61
  2. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Great news!
    Give me a couple of minutes, so I can go back and see what's next.
     
    broni,
    #62


  3. to hide this advert.

  4. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Just some minor garbage....

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\4.0; File not found
O33 - MountPoints2\{6ec2ae01-fa4d-11dd-8f58-806e6f6e6963}\Shell - " " = AutoRun
O33 - MountPoints2\{6ec2ae01-fa4d-11dd-8f58-806e6f6e6963}\Shell\AutoRun\command - " " = E:\setup.exe -- File not found


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
    broni,
    #63
  5. 2010/06/26
    juturna

    juturna Inactive Thread Starter

    Joined:
    2010/06/21
    Messages:
    38
    Likes Received:
    0
    Running Quick Scan now...



    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Shockwave Updater deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ec2ae01-fa4d-11dd-8f58-806e6f6e6963}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ec2ae01-fa4d-11dd-8f58-806e6f6e6963}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ec2ae01-fa4d-11dd-8f58-806e6f6e6963}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ec2ae01-fa4d-11dd-8f58-806e6f6e6963}\ not found.
    File E:\setup.exe not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Andrew
    ->Temp folder emptied: 35096 bytes
    ->Temporary Internet Files folder emptied: 64222212 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 36730549 bytes
    ->Flash cache emptied: 165977 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: RA Media Server
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4551754 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 238 bytes

    Total Files Cleaned = 101.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Andrew
    ->Flash cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    User: RA Media Server

    Total Flash Files Cleaned = 0.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 06262010_134231

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    juturna,
    #64
  6. 2010/06/26
    juturna

    juturna Inactive Thread Starter

    Joined:
    2010/06/21
    Messages:
    38
    Likes Received:
    0
    OTL logfile created on: 6/26/2010 1:47:56 PM - Run 6
    OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Andrew\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18928)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free
    6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 583.59 Gb Total Space | 297.87 Gb Free Space | 51.04% Space Free | Partition Type: NTFS
    Drive D: | 10.00 Gb Total Space | 3.73 Gb Free Space | 37.35% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ANDREW-PC
    Current User Name: Andrew
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/06/25 18:09:05 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    PRC - [2010/04/13 02:36:46 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
    PRC - [2010/01/28 10:45:05 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    PRC - [2010/01/28 10:45:03 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PRC - [2010/01/28 10:44:52 | 001,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    PRC - [2010/01/28 10:44:52 | 001,455,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    PRC - [2010/01/28 10:44:50 | 000,341,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    PRC - [2010/01/28 10:44:49 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/04/11 02:27:20 | 000,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
    PRC - [2008/09/24 00:09:52 | 001,295,656 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
    PRC - [2008/09/24 00:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
    PRC - [2008/07/20 19:45:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2008/07/20 19:45:06 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    PRC - [2008/02/22 19:01:38 | 001,193,240 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
    PRC - [2008/02/22 18:54:34 | 000,390,424 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    PRC - [2008/01/01 23:44:38 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    PRC - [2008/01/01 23:44:32 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
    PRC - [2008/01/01 23:44:26 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
    PRC - [2007/12/21 12:58:06 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
    PRC - [2007/12/03 01:58:54 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
    PRC - [2007/10/15 16:59:14 | 000,143,360 | ---- | M] () -- C:\Program Files\Razer\Lachesis\razertra.exe
    PRC - [2007/09/12 12:52:18 | 000,172,032 | ---- | M] () -- C:\Program Files\Razer\Lachesis\razerhid.exe
    PRC - [2007/08/16 18:05:16 | 000,274,432 | ---- | M] (razercfg MFC Application) -- C:\Program Files\Razer\Lachesis\OSD.exe
    PRC - [2007/07/25 18:41:42 | 000,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    PRC - [2007/07/25 18:22:44 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    PRC - [2007/07/18 09:26:42 | 000,775,952 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
    PRC - [2007/07/18 09:26:26 | 000,374,032 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
    PRC - [2007/07/18 09:26:24 | 000,203,024 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
    PRC - [2007/06/05 11:37:12 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\Lachesis\razerofa.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/06/25 18:09:05 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    MOD - [2010/01/28 10:45:09 | 000,357,704 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\sysfer.dll
    MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
    MOD - [2008/01/20 22:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (Viewpoint Manager Service)
    SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)
    SRV - File not found [On_Demand | Stopped] -- -- (LiveTurbineNetworkService)
    SRV - File not found [On_Demand | Stopped] -- -- (LiveTurbineMessageService)
    SRV - [2010/04/13 02:36:46 | 000,057,752 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
    SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
    SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/01/28 10:45:05 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
    SRV - [2010/01/28 10:45:05 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
    SRV - [2010/01/28 10:44:52 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
    SRV - [2010/01/28 10:44:50 | 000,341,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
    SRV - [2010/01/28 10:44:49 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2009/12/12 21:41:31 | 000,321,320 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
    SRV - [2009/07/13 13:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
    SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
    SRV - [2008/09/24 00:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
    SRV - [2008/07/20 19:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
    SRV - [2008/02/22 18:54:34 | 000,390,424 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc)
    SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2008/01/01 23:44:32 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
    SRV - [2008/01/01 23:44:26 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
    SRV - [2007/07/25 18:41:42 | 000,647,168 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2007/07/25 18:22:44 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)


    ========== Driver Services (SafeList) ==========

    DRV - [2010/05/10 19:41:24 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100510.025\NAVEX15.SYS -- (NAVEX15)
    DRV - [2010/05/10 19:41:24 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100510.025\NAVENG.SYS -- (NAVENG)
    DRV - [2010/04/29 13:15:55 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2010/02/17 14:20:20 | 000,162,048 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wpshelper.sys -- (WpsHelper)
    DRV - [2010/01/28 10:49:16 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2010/01/28 10:45:10 | 000,042,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\WPSDRVnt.sys -- (WPS)
    DRV - [2010/01/28 10:45:08 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
    DRV - [2010/01/28 10:45:08 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
    DRV - [2010/01/28 10:45:07 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
    DRV - [2010/01/28 10:44:54 | 000,092,488 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant)
    DRV - [2010/01/28 10:44:54 | 000,050,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Teefer2.sys -- (Teefer2)
    DRV - [2010/01/28 10:44:43 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2010/01/28 10:44:43 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2010/01/28 10:44:41 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
    DRV - [2009/08/28 16:18:14 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2009/08/18 12:58:28 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\COH_Mon.sys -- (COH_Mon)
    DRV - [2009/06/25 04:26:56 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
    DRV - [2008/10/27 06:26:54 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
    DRV - [2008/10/27 06:18:08 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
    DRV - [2008/10/27 06:18:04 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
    DRV - [2008/10/27 06:17:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
    DRV - [2008/03/27 09:27:32 | 000,193,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
    DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
    DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
    DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
    DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
    DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
    DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
    DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
    DRV - [2008/01/20 22:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
    DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
    DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
    DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
    DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
    DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
    DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
    DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
    DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
    DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
    DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
    DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
    DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
    DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
    DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
    DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
    DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
    DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
    DRV - [2008/01/14 06:06:32 | 000,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ManyCam.sys -- (ManyCam)
    DRV - [2008/01/01 23:44:40 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2007/12/03 01:59:06 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
    DRV - [2007/12/03 01:58:50 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
    DRV - [2007/11/06 05:38:10 | 007,619,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2007/09/13 07:43:00 | 000,120,320 | ---- | M] (AGEIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\physX32.sys -- (physX32)
    DRV - [2007/08/13 05:44:26 | 002,226,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
    DRV - [2007/08/08 12:04:16 | 000,012,032 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Lachesis.sys -- (LachesisFltr)
    DRV - [2007/07/18 09:30:28 | 000,179,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
    DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
    DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
    DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
    DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
    DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
    DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
    DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
    DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
    DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
    DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
    DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
    DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
    DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
    DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
    DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
    DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
    DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
    DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
    DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
    DRV - [2006/07/24 16:05:00 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
    DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
    DRV - [2005/08/17 07:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.selectedEngine: "Yahoo "
    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "http://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial "
    FF - prefs.js..extensions.enabledItems: artur.dubovoy@gmail.com:1.9.96
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.72
    FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= "

    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 02:01:25 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/25 19:02:09 | 000,000,000 | ---D | M]

    [2009/02/18 17:28:46 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions
    [2010/06/25 21:15:35 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions
    [2010/01/06 02:05:35 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
    [2010/01/06 02:05:35 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
    [2010/01/06 02:05:35 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    [2010/01/07 02:54:23 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\artur.dubovoy@gmail.com
    [2010/06/25 21:15:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/06/25 19:02:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/06/25 19:01:27 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2010/01/13 18:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

    O1 HOSTS File: ([2010/06/26 13:43:56 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe ()
    O4 - HKLM..\Run: [Launch LCDMon] C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe (Logitech Inc.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
    O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
    O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
    O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
    O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/06/25 23:43:44 | 000,000,000 | ---D | C] -- C:\Avenger
    [2010/06/25 21:32:37 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Users\Andrew\Desktop\remover.exe
    [2010/06/25 19:03:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
    [2010/06/25 19:03:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/06/25 18:52:42 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/06/25 18:08:58 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    [2010/06/25 18:03:25 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2010/06/25 18:02:35 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2010/06/25 16:00:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2010/06/25 15:59:58 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\temp
    [2010/06/25 15:55:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2010/06/25 13:54:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2010/06/24 22:33:48 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Malwarebytes
    [2010/06/24 22:33:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/06/24 22:33:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/06/24 22:33:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2010/06/24 22:33:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/06/22 23:41:54 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
    [2010/06/18 12:02:24 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\music
    [2010/06/15 05:45:51 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\skypePM
    [2010/06/15 05:44:19 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Skype
    [2010/06/15 05:43:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2010/06/15 05:43:06 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
    [2010/06/15 05:42:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
    [2010/06/13 02:01:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Family Outing S2
    [2010/06/11 23:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Software
    [2010/06/11 23:33:47 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\NCH Swift Sound
    [2010/06/11 23:33:47 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Swift Sound
    [2010/06/11 23:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
    [2010/06/02 19:28:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Family Outing S1
    [2010/05/15 00:15:47 | 000,000,000 | R--D | C] -- C:\Users\Andrew\Desktop\idol
    [2010/05/14 22:41:48 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Desktop
    [2010/05/14 00:50:29 | 000,719,872 | ---- | C] (Abysmal Software) -- C:\Windows\System32\devil.dll
    [2010/05/14 00:50:29 | 000,369,152 | ---- | C] (The Public) -- C:\Windows\System32\avisynth.dll
    [2010/05/14 00:50:29 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\Windows\System32\yv12vfw.dll
    [2010/05/14 00:50:29 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\Windows\System32\i420vfw.dll
    [2010/05/14 00:50:28 | 000,000,000 | ---D | C] -- C:\Program Files\AviSynth 2.5
    [2010/05/14 00:46:05 | 000,186,880 | RHS- | C] (RadLight) -- C:\Windows\System32\RLOgg.ax
    [2010/05/14 00:46:05 | 000,161,792 | RHS- | C] (Gabest) -- C:\Windows\System32\RealMediaDX.ax
    [2010/05/14 00:46:05 | 000,092,672 | RHS- | C] (RadLight) -- C:\Windows\System32\RLVorbisDec.ax
    [2010/05/14 00:46:05 | 000,090,112 | RHS- | C] (-) -- C:\Windows\System32\TTADSSplitter.ax
    [2010/05/14 00:46:05 | 000,090,112 | RHS- | C] (-) -- C:\Windows\System32\TTADSDecoder.ax
    [2010/05/14 00:46:05 | 000,067,584 | RHS- | C] (RadLight, LLC) -- C:\Windows\System32\RLTheoraDec.ax
    [2010/05/14 00:46:04 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\Windows\System32\pncrt.dll
    [2010/05/14 00:46:04 | 000,216,064 | RHS- | C] (MONOGRAM Multimedia, s.r.o.) -- C:\Windows\System32\nbDX.dll
    [2010/05/14 00:46:04 | 000,179,200 | RHS- | C] (Gabest) -- C:\Windows\System32\DiracSplitter.ax
    [2010/05/14 00:46:04 | 000,169,472 | RHS- | C] (Gabest) -- C:\Windows\System32\MatroskaDX.ax
    [2010/05/14 00:46:04 | 000,163,328 | RHS- | C] (Gabest) -- C:\Windows\System32\flvDX.dll
    [2010/05/14 00:46:04 | 000,031,232 | RHS- | C] (Hans Mayerl) -- C:\Windows\System32\msfDX.dll
    [2010/05/14 00:46:03 | 000,123,904 | RHS- | C] (CoreCodec) -- C:\Windows\System32\AVCDX.ax
    [2010/05/14 00:45:32 | 000,000,000 | ---D | C] -- C:\Program Files\eRightSoft
    [2010/04/28 11:27:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\Microsoft Help
    [2010/04/20 01:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\Aixcoustic
    [2010/04/18 00:16:08 | 000,000,000 | R--D | C] -- C:\Users\Andrew\Desktop\Korean
    [2010/04/11 03:10:18 | 000,000,000 | ---D | C] -- C:\Program Files\StreamTransport

    ========== Files - Modified Within 90 Days ==========

    [2010/06/26 13:48:05 | 006,553,600 | -HS- | M] () -- C:\Users\Andrew\ntuser.dat
    [2010/06/26 13:46:58 | 000,000,238 | ---- | M] () -- C:\Users\Andrew\Desktop\[Active] iexplore.exe problem! - Page 5.url
    [2010/06/26 13:46:02 | 000,027,430 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\nvModes.001
    [2010/06/26 13:45:40 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
    [2010/06/26 13:45:37 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
    [2010/06/26 13:45:25 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/06/26 13:45:25 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/06/26 13:45:25 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2010/06/26 13:45:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/06/26 13:44:52 | 3219,181,568 | -HS- | M] () -- C:\hiberfil.sys
    [2010/06/26 13:44:15 | 000,524,288 | -HS- | M] () -- C:\Users\Andrew\ntuser.dat{b1eab854-cfb1-11de-8a70-0023ae12b7e1}.TMContainer00000000000000000001.regtrans-ms
    [2010/06/26 13:44:15 | 000,065,536 | -HS- | M] () -- C:\Users\Andrew\ntuser.dat{b1eab854-cfb1-11de-8a70-0023ae12b7e1}.TM.blf
    [2010/06/26 13:43:56 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
    [2010/06/26 13:27:43 | 000,716,862 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
    [2010/06/26 13:27:43 | 000,613,270 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2010/06/26 13:27:43 | 000,108,196 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2010/06/26 13:20:07 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
    [2010/06/26 13:12:43 | 003,640,873 | -H-- | M] () -- C:\Users\Andrew\AppData\Local\IconCache.db
    [2010/06/26 00:27:50 | 000,002,377 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
    [2010/06/26 00:06:10 | 000,027,430 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\nvModes.dat
    [2010/06/25 23:57:42 | 314,920,199 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2010/06/25 23:10:04 | 000,077,312 | ---- | M] () -- C:\Users\Andrew\Desktop\mbr.exe
    [2010/06/25 21:13:04 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
    [2010/06/25 18:09:05 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    [2010/06/25 17:14:31 | 000,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
    [2010/06/25 15:56:30 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
    [2010/06/25 04:16:46 | 000,121,856 | ---- | M] () -- C:\Users\Andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/06/25 00:01:53 | 000,270,576 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2010/06/24 23:02:36 | 000,293,376 | ---- | M] () -- C:\Users\Andrew\Desktop\2xq6cx38.exe
    [2010/06/24 22:33:40 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/06/22 23:54:37 | 000,525,824 | ---- | M] () -- C:\Users\Andrew\Desktop\dds.scr
    [2010/06/18 12:06:43 | 000,000,192 | ---- | M] () -- C:\Users\Andrew\Desktop\ssfsubs3.url
    [2010/06/11 23:59:06 | 000,000,000 | ---- | M] () -- C:\ProgramData\LauncherAccess.dt
    [2010/06/03 15:42:11 | 000,000,154 | ---- | M] () -- C:\Users\Andrew\Desktop\index12.url
    [2010/05/09 20:57:28 | 000,532,092 | ---- | M] () -- C:\Users\Andrew\Documents\youth ministries.pptx
    [2010/05/09 17:32:42 | 000,027,648 | ---- | M] () -- C:\Users\Andrew\Documents\my interview.doc
    [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/04/16 10:25:52 | 000,033,792 | ---- | M] () -- C:\Users\Andrew\Documents\essay3.doc
    [2010/04/13 02:36:46 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
    [2010/04/06 02:26:54 | 000,027,136 | ---- | M] () -- C:\Users\Andrew\Documents\assignment 3 proposal.doc
    [2010/04/04 16:34:22 | 000,062,074 | ---- | M] () -- C:\Windows\War3Unin.dat
    [2010/03/29 01:03:16 | 000,019,065 | ---- | M] () -- C:\Users\Andrew\Documents\midterm.docx

    ========== Files Created - No Company Name ==========

    [2010/06/26 13:38:09 | 000,000,238 | ---- | C] () -- C:\Users\Andrew\Desktop\[Active] iexplore.exe problem! - Page 5.url
    [2010/06/25 23:56:32 | 3219,181,568 | -HS- | C] () -- C:\hiberfil.sys
    [2010/06/25 23:41:53 | 000,731,136 | ---- | C] () -- C:\Users\Andrew\Desktop\avenger.exe
    [2010/06/25 23:16:01 | 000,000,255 | ---- | C] () -- C:\Users\Andrew\mbr.log
    [2010/06/25 23:10:04 | 000,077,312 | ---- | C] () -- C:\Users\Andrew\Desktop\mbr.exe
    [2010/06/25 21:13:04 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
    [2010/06/24 23:02:35 | 000,293,376 | ---- | C] () -- C:\Users\Andrew\Desktop\2xq6cx38.exe
    [2010/06/24 22:33:40 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/06/22 23:54:34 | 000,525,824 | ---- | C] () -- C:\Users\Andrew\Desktop\dds.scr
    [2010/06/15 05:43:07 | 000,002,377 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
    [2010/06/07 02:19:46 | 000,000,192 | ---- | C] () -- C:\Users\Andrew\Desktop\ssfsubs3.url
    [2010/06/03 15:42:11 | 000,000,154 | ---- | C] () -- C:\Users\Andrew\Desktop\index12.url
    [2010/05/14 00:50:29 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll
    [2010/05/14 00:46:05 | 000,107,520 | RHS- | C] () -- C:\Windows\System32\RLMPCDec.ax
    [2010/05/14 00:46:05 | 000,070,656 | RHS- | C] () -- C:\Windows\System32\RLAPEDec.ax
    [2010/05/14 00:46:05 | 000,051,712 | RHS- | C] () -- C:\Windows\System32\RLSpeexDec.ax
    [2010/05/14 00:46:04 | 000,175,104 | RHS- | C] () -- C:\Windows\System32\CoreAAC.ax
    [2010/05/14 00:46:04 | 000,120,832 | RHS- | C] () -- C:\Windows\System32\MPCDx.ax
    [2010/05/14 00:46:04 | 000,097,280 | RHS- | C] () -- C:\Windows\System32\FLACDX.ax
    [2010/05/14 00:46:03 | 000,227,328 | RHS- | C] () -- C:\Windows\System32\ac3DX.ax
    [2010/05/14 00:46:03 | 000,081,920 | RHS- | C] () -- C:\Windows\System32\aac_parser.ax
    [2010/05/09 17:32:53 | 000,532,092 | ---- | C] () -- C:\Users\Andrew\Documents\youth ministries.pptx
    [2010/05/09 17:32:41 | 000,027,648 | ---- | C] () -- C:\Users\Andrew\Documents\my interview.doc
    [2010/04/08 02:10:53 | 000,033,792 | ---- | C] () -- C:\Users\Andrew\Documents\essay3.doc
    [2010/04/06 02:26:54 | 000,027,136 | ---- | C] () -- C:\Users\Andrew\Documents\assignment 3 proposal.doc
    [2010/03/29 01:03:16 | 000,019,065 | ---- | C] () -- C:\Users\Andrew\Documents\midterm.docx
    [2009/08/07 02:40:39 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
    [2009/08/04 15:03:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
    [2009/06/29 02:13:28 | 000,000,000 | ---- | C] () -- C:\Windows\ACTIVEJP.INI
    [2009/03/03 13:55:58 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
    [2009/02/14 08:05:50 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
    [2007/07/25 18:40:02 | 000,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
    [2007/04/20 09:57:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
    [2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
    [2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 06:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
    [2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

    ========== LOP Check ==========

    [2009/02/24 15:01:36 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Absolute
    [2009/02/18 19:10:38 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\acccore
    [2010/01/05 03:43:49 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ManyCam
    [2010/06/11 23:33:47 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\NCH Swift Sound
    [2009/10/09 01:43:07 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ooVoo Details
    [2009/03/20 21:10:00 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\PeerNetworking
    [2009/05/20 01:21:43 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\RenPy
    [2009/08/07 02:58:38 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Samsung
    [2009/10/09 01:46:34 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\tmp
    [2010/06/26 13:44:04 | 000,032,554 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
     
    juturna,
    #65
  7. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
    broni,
    #66
  8. 2010/06/26
    juturna

    juturna Inactive Thread Starter

    Joined:
    2010/06/21
    Messages:
    38
    Likes Received:
    0
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Saturday, June 26, 2010
    Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, June 26, 2010 14:45:36
    Records in database: 4292236
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 155327
    Threats found: 4
    Infected objects found: 14
    Suspicious objects found: 0
    Scan duration: 03:12:36


    File name / Threat / Threats count
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00000\5CB959CB.VBN Infected: Trojan.JS.Agent.bmo 1
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00001\5CB959EF.VBN Infected: Trojan.JS.Agent.bmo 1
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00002\5CB95A05.VBN Infected: Trojan-Downloader.Java.Agent.ah 2
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\145C0000\5C5F155F.VBN Infected: Trojan.JS.Agent.bmo 1
    C:\ProgramData\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 1
    C:\System Volume Information\Microsoft\services.exe Infected: Trojan-Clicker.Win32.Cycler.ajtp 1
    C:\System Volume Information\Microsoft\smss.exe Infected: Trojan-Clicker.Win32.Cycler.ajtp 1
    C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00000\5CB959CB.VBN Infected: Trojan.JS.Agent.bmo 1
    C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00001\5CB959EF.VBN Infected: Trojan.JS.Agent.bmo 1
    C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00002\5CB95A05.VBN Infected: Trojan-Downloader.Java.Agent.ah 2
    C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\145C0000\5C5F155F.VBN Infected: Trojan.JS.Agent.bmo 1
    C:\Users\All Users\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 1

    Selected area has been scanned.
     
    juturna,
    #67
  9. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL

:Services

:Reg

:Files
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00000\5CB959CB.VBN 
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00001\5CB959EF.VBN
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00002\5CB95A05.VBN 
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\145C0000\5C5F155F.VBN 
C:\System Volume Information\Microsoft\services.exe 
C:\System Volume Information\Microsoft\smss.exe 
C:\System Volume Information\Microsoft
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00000\5CB959CB.VBN
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00001\5CB959EF.VBN
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00002\5CB95A05.VBN
C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\145C0000\5C5F155F.VBN

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
     
    broni,
    #68
  10. 2010/06/26
    juturna

    juturna Inactive Thread Starter

    Joined:
    2010/06/21
    Messages:
    38
    Likes Received:
    0
    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00000\5CB959CB.VBN moved successfully.
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00001\5CB959EF.VBN moved successfully.
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\10B00002\5CB95A05.VBN moved successfully.
    C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\145C0000\5C5F155F.VBN moved successfully.
    C:\System Volume Information\Microsoft\services.exe moved successfully.
    C:\System Volume Information\Microsoft\smss.exe moved successfully.
    C:\System Volume Information\Microsoft folder moved successfully.
    File\Folder C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00000\5CB959CB.VBN not found.
    File\Folder C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00001\5CB959EF.VBN not found.
    File\Folder C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\10B00002\5CB95A05.VBN not found.
    File\Folder C:\Users\All Users\Symantec\Symantec Endpoint Protection\Quarantine\145C0000\5C5F155F.VBN not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Andrew
    ->Temp folder emptied: 109894517 bytes
    ->Temporary Internet Files folder emptied: 3437544 bytes
    ->Java cache emptied: 128094 bytes
    ->FireFox cache emptied: 2473475 bytes
    ->Flash cache emptied: 523 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: RA Media Server
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 111.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Andrew
    ->Flash cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Public

    User: RA Media Server

    Total Flash Files Cleaned = 0.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 06262010_180652

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    juturna,
    #69
  11. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I hope, this long journey is over :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ===============================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #70
  12. 2010/06/26
    juturna

    juturna Inactive Thread Starter

    Joined:
    2010/06/21
    Messages:
    38
    Likes Received:
    0
    Thank you for everything. I'm glad I got to be of some use (as a guinea pig) to the online-community.
    Hopefully I will not be returning here for a very long time.
     
    juturna,
    #71
  13. 2010/06/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I appreciate you being a willing victim for me :)

    Good luck and stay safe :)
     
    broni,
    #72
Page 4 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...