how-to block ads
|
|
Uniqs:
1962 |
Share Topic
 |
 |
|
|
|
| [Malware] Removed virus/hijacker, but probs remain Hi. I used TDSSKiller to remove a virus and it did, on the surface. Hijacking is over with, randomly generated exe file no longer running, but I still get a message that I need administrator privileges to save msconfig changes and every 5-10 seconds, my system freezes for a few seconds. Malwarebytes Anti-Malware cannot access internet to update definitions. Also both Nortons 360 and Spybot Search and Destroy cannot access the internet.
I ran TFC, Malwarebytes Anti-Malware, OTL, Security Check, ESET Online Scan.
I tried to post to Security Cleanup thread, but could not find a post link.
Logs are as follows:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7622
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/2/2011 1:24:00 PM
mbam-log-2011-11-02 (13-24-00).txt
Scan type: Full scan (C:\|J:\|)
Objects scanned: 278048
Time elapsed: 21 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
j:\system volume information\_restore{6dda708f-0936-4a43-a50f-9e24bff8186c}\RP294\A0080838.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
j:\system volume information\_restore{6dda708f-0936-4a43-a50f-9e24bff8186c}\RP294\A0080843.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
j:\system volume information\_restore{6dda708f-0936-4a43-a50f-9e24bff8186c}\RP294\A0080844.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
OTL logfile created on: 11/2/2011 1:35:47 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Daddy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.49 Gb Total Physical Memory | 2.12 Gb Available Physical Memory | 85.23% Memory free
4.34 Gb Paging File | 4.14 Gb Available in Paging File | 95.43% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 6.60 Gb Free Space | 17.72% Space Free | Partition Type: NTFS
Drive H: | 4.30 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive J: | 882.68 Gb Total Space | 36.28 Gb Free Space | 4.11% Space Free | Partition Type: NTFS
Computer Name: COMPUTER_1 | User Name: Daddy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - [2011/11/02 13:33:25 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
PRC - [2010/04/12 04:40:16 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\Utilities\PowerISO\PWRISOVM.EXE
PRC - [2008/04/14 00:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/01 10:31:24 | 002,121,728 | ---- | M] () -- C:\Program Files\NETGEAR\WN111\wn111.exe
PRC - [2005/09/21 15:32:56 | 002,807,808 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2005/09/21 10:24:02 | 000,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/05/03 18:43:28 | 000,069,632 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE
[color=#E56717]========== Modules (No Company Name) ==========[/color]
MOD - [2008/04/18 14:03:12 | 000,065,536 | ---- | M] () -- C:\Program Files\NETGEAR\WN111\WlanDll.dll
MOD - [2008/04/01 10:31:24 | 002,121,728 | ---- | M] () -- C:\Program Files\NETGEAR\WN111\wn111.exe
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/11/01 18:36:01 | 000,167,936 | ---- | M] () [Auto | Stopped] -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WLSVC.exe -- (WLSVC)
SRV - [2011/04/16 20:45:11 | 000,130,008 | R--- | M] () [Unknown | Stopped] -- C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe -- (N360)
SRV - [2011/04/16 20:45:11 | 000,130,008 | R--- | M] () [Auto | Stopped] -- C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe -- (EraserSvc11113)
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV - [2011/10/28 20:05:55 | 000,279,712 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2011/10/28 20:05:55 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2011/10/14 19:10:08 | 000,818,808 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/08/28 21:55:33 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/08/28 01:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111031.020\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/28 01:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/08/28 01:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/08/28 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111031.020\NAVENG.SYS -- (NAVENG)
DRV - [2011/08/26 15:47:30 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111028.030\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/03/30 23:00:09 | 000,516,216 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 23:00:09 | 000,050,168 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 20:39:49 | 000,369,784 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 22:31:23 | 000,744,568 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/27 02:47:10 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS -- (SymDS)
DRV - [2011/01/27 01:07:05 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/12 04:44:34 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008/04/13 18:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2008/01/23 16:02:02 | 000,020,480 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WLNdis50.sys -- (WLNdis50)
DRV - [2007/11/18 19:42:52 | 000,461,952 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MRVW245.sys -- (MRVW245) Marvell TOPDOG 802.11n WLAN Driver for Windows XP (USB8x)
DRV - [2006/03/26 08:22:14 | 000,051,200 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2006/03/24 12:27:01 | 000,050,176 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync04.sys -- (sfsync04) StarForce Protection Synchronization Driver (version 4.x)
DRV - [2006/03/13 05:38:23 | 000,006,656 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005/11/03 10:40:07 | 000,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=#E56717]========== FireFox ==========[/color]
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en"
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\IPSFFPlgn\ [2011/09/28 05:56:09 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\coFFPlgn_2011_7_2_3 [2011/10/31 20:31:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/30 20:34:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2011/08/24 13:33:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Extensions
[2011/09/27 21:06:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\z93ptgh3.default\extensions
[2011/09/27 21:04:51 | 000,000,000 | ---D | M] (ShopToWin16) -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\z93ptgh3.default\extensions\{f1e6d946-6b44-4f3a-8c4b-e497675c8e17}
[2011/09/17 20:57:34 | 000,000,000 | ---D | M] (Ant Video Downloader) -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\z93ptgh3.default\extensions\anttoolbar@ant.com
[2011/05/17 19:23:12 | 000,003,295 | ---- | M] () -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\z93ptgh3.default\searchplugins\search-results.xml
[2011/08/24 13:33:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/28 05:56:09 | 000,000,000 | ---D | M] (Symantec IPS) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\IPSFFPLGN
[2011/09/29 10:07:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/30 20:34:38 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/08/11 23:16:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O1 HOSTS File: ([2011/09/01 09:15:31 | 000,000,771 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.1.0.29\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\Utilities\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Shortcut to wn111.exe.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - mswsock.dll File not found
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} »download.microsoft.com/download/···trol.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} »windowsupdate.microsoft.com/wind···05002234 (WUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 74.128.19.102 74.128.17.114
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{01A7D6EC-E3C4-43EE-B6AB-72A1D8F6E2A5}: DhcpNameServer = 192.168.2.1 74.128.19.102 74.128.17.114
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/24 09:33:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/03 15:22:36 | 000,000,067 | ---- | M] () - J:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
File not found -- C:\WINDOWS\System32\
[2011/11/02 13:33:24 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
[2011/11/02 12:35:12 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\TFC.exe
[2011/11/02 11:58:00 | 000,347,920 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Daddy\Desktop\MicrosoftFixit.WinSecurity.Run.exe
[2011/11/02 11:23:32 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/11/02 11:23:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Start Menu\Programs\HiJackThis
[2011/11/01 17:35:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Local Settings\Application Data\Symantec
[2011/11/01 17:29:54 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Daddy\Desktop\spybotsd162.exe
[2011/11/01 09:17:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\My Documents\Neverwinter Nights 2
[2011/10/31 22:19:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Daddy\Local Settings\Application Data\0bfa689f
[2011/10/31 21:12:07 | 000,000,000 | ---D | C] -- C:\Program Files\Buccaneer - The Pursuit OF Infamy
[2011/10/28 10:28:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Start Menu\Programs\WMV9 VCM
[2011/10/28 10:28:11 | 000,000,000 | ---D | C] -- C:\Program Files\WMV9_VCM
[2011/10/28 10:26:18 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2011/10/28 10:26:18 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2011/10/28 10:26:18 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2011/10/28 10:26:17 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2011/10/28 10:26:17 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2011/10/28 10:26:17 | 000,069,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2011/10/28 10:26:16 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2011/10/28 10:26:16 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2011/10/28 10:26:16 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2011/10/28 10:26:15 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2011/10/28 10:26:15 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2011/10/28 10:26:15 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2011/10/28 10:26:14 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2011/10/28 10:26:14 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2011/10/28 10:26:13 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2011/10/28 10:26:13 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2011/10/28 10:26:13 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2011/10/28 10:26:12 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2011/10/28 10:26:12 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2011/10/28 10:26:12 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2011/10/28 10:26:11 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2011/10/28 10:26:11 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2011/10/28 10:26:11 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2011/10/28 10:26:11 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2011/10/28 10:26:10 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2011/10/28 10:26:10 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2011/10/28 10:26:09 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2011/10/28 10:26:09 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2011/10/28 10:26:09 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2011/10/28 10:26:08 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2011/10/28 10:26:07 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2011/10/28 10:26:07 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2011/10/28 10:26:07 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2011/10/28 10:26:06 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2011/10/28 10:26:06 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2011/10/28 10:26:06 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2011/10/28 10:26:05 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2011/10/28 10:26:04 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2011/10/28 10:26:04 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2011/10/28 10:26:04 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2011/10/28 10:26:03 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2011/10/28 10:26:03 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2011/10/28 10:26:03 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2011/10/28 10:26:02 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2011/10/28 10:26:02 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2011/10/28 10:26:02 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2011/10/28 10:26:01 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2011/10/28 10:26:00 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2011/10/28 10:25:59 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2011/10/28 10:25:59 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2011/10/28 10:25:56 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2011/10/28 10:25:55 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2011/10/28 10:25:55 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2011/10/28 10:25:54 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2011/10/28 10:25:54 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2011/10/28 10:25:54 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2011/10/28 10:25:53 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2011/10/28 10:05:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2011/10/22 08:14:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Desktop\Gothic II
[2011/10/18 09:25:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\Image Zone Express
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
File not found -- C:\WINDOWS\System32\
[2011/11/02 13:33:25 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
[2011/11/02 13:26:41 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/11/02 13:26:37 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/02 13:26:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/02 13:01:17 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/11/02 13:00:12 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/02 12:57:26 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\HiJackThis.lnk
[2011/11/02 12:35:12 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\TFC.exe
[2011/11/02 12:25:26 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/11/02 11:58:00 | 000,347,920 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Daddy\Desktop\MicrosoftFixit.WinSecurity.Run.exe
[2011/11/02 11:23:04 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\HiJackThis.msi
[2011/11/02 11:07:20 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2674457099
[2011/11/01 17:29:55 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Daddy\Desktop\spybotsd162.exe
[2011/11/01 08:28:04 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\Daddy\Application Data\Microsoft\Internet Explorer\Quick Launch\Neverwinter Nights 2.lnk
[2011/10/31 21:21:55 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\Daddy\Application Data\Microsoft\Internet Explorer\Quick Launch\Buccaneer.lnk
[2011/10/31 21:13:38 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Buccaneer.lnk
[2011/10/28 20:05:55 | 000,279,712 | ---- | M] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2011/10/28 20:05:55 | 000,025,888 | ---- | M] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2011/10/28 11:12:06 | 001,564,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Daddy\Desktop\TDSSKiller.exe
[2011/10/28 07:21:21 | 000,611,307 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Gothic II Walkthrough.rtf
[2011/10/22 20:58:44 | 000,004,096 | ---- | M] () -- C:\WINDOWS\d3dx.dat
[2011/10/22 20:56:24 | 000,001,789 | ---- | M] () -- C:\Documents and Settings\Daddy\Application Data\Microsoft\Internet Explorer\Quick Launch\Gothic 2 Gold.lnk
[2011/10/18 07:40:42 | 000,093,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/18 07:24:31 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/18 07:24:31 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/18 07:18:11 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/14 09:35:38 | 000,004,608 | ---- | M] () -- C:\Documents and Settings\Daddy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/09 07:29:12 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/08 12:56:57 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Shortcut to wn111.exe.lnk
[2011/10/04 21:38:03 | 000,000,091 | ---- | M] () -- C:\WINDOWS\CIV.INI
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2011/11/02 11:23:33 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\HiJackThis.lnk
[2011/11/02 11:23:03 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\HiJackThis.msi
[2011/11/01 08:28:04 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\Daddy\Application Data\Microsoft\Internet Explorer\Quick Launch\Neverwinter Nights 2.lnk
[2011/10/31 22:19:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\2674457099
[2011/10/31 21:21:55 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\Daddy\Application Data\Microsoft\Internet Explorer\Quick Launch\Buccaneer.lnk
[2011/10/31 21:13:37 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\Buccaneer.lnk
[2011/10/28 07:21:21 | 000,611,307 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\Gothic II Walkthrough.rtf
[2011/10/22 20:58:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2011/10/22 20:56:23 | 000,001,789 | ---- | C] () -- C:\Documents and Settings\Daddy\Application Data\Microsoft\Internet Explorer\Quick Launch\Gothic 2 Gold.lnk
[2011/10/12 12:00:17 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Daddy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/08 12:56:57 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\Shortcut to wn111.exe.lnk
[2011/09/04 22:13:25 | 000,000,091 | ---- | C] () -- C:\WINDOWS\CIV.INI
[2011/09/04 22:11:29 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\IYVU9_32.DLL
[2011/09/02 12:14:07 | 000,279,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2011/09/02 12:14:06 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2011/09/01 09:31:16 | 000,000,060 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/08/27 15:30:04 | 000,069,359 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2011/08/27 15:30:04 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2011/08/24 11:39:15 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\WLNdis50.sys
[2011/08/24 09:35:46 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/08/24 09:30:33 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/08/24 05:20:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/08/24 05:19:07 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/16 14:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/05/16 14:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/05/16 14:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/05/16 14:01:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/04/14 00:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/12/31 02:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
OTL Extras logfile created on: 11/2/2011 1:35:47 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Daddy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.49 Gb Total Physical Memory | 2.12 Gb Available Physical Memory | 85.23% Memory free
4.34 Gb Paging File | 4.14 Gb Available in Paging File | 95.43% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 6.60 Gb Free Space | 17.72% Space Free | Partition Type: NTFS
Drive H: | 4.30 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive J: | 882.68 Gb Total Space | 36.28 Gb Free Space | 4.11% Space Free | Partition Type: NTFS
Computer Name: COMPUTER_1 | User Name: Daddy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Extra Registry (SafeList) ==========[/color]
[color=#E56717]========== File Associations ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[color=#E56717]========== Shell Spawning ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[color=#E56717]========== Security Center Settings ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[color=#E56717]========== System Restore Settings ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
[color=#E56717]========== Firewall Settings ==========[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
[color=#E56717]========== Authorized Applications List ==========[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Buccaneer - The Pursuit OF Infamy\T3D.exe" = C:\Program Files\Buccaneer - The Pursuit OF Infamy\T3D.exe:*:Enabled:Buccaneer: The Pursuit of Infamy -- ()
"C:\Games\Neverwinter Nights 2\nwupdate.exe" = C:\Games\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- (Obsidian Entertainment, Inc.)
"C:\Games\Neverwinter Nights 2\nwn2server.exe" = C:\Games\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- (Obsidian Entertainment, Inc.)
[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007C0BB9-C5E2-4C73-B96B-2BBD5CEA9BF9}" = 2350
"{0390854C-42B9-4BC2-B0CF-87DDA0F62EC8}" = 2350_Help
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{64893225-ADBA-469E-B114-F3B2C1FBBA77}" = RTKXI
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{85BCA736-A0F4-448E-9BC1-6EA08693E10B}" = HP Image Zone Express
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Search-Results Toolbar
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-000000000001}" = Adobe Reader 6.0
"{AFCE4D19-D385-4232-9B0E-809D85A25A10}" = NETGEAR WN111 wireless USB 2.0 adapter
"{B1BDEA80-95CE-4DFB-B9D3-DC800E7F87B4}" = TRENDnet 802.11g Wireless CardBus/PCI Adapter
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0E7118C-CF3D-46EC-B431-F744C035A571}" = 2350Trb
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"7-Zip" = 7-Zip 9.10 beta
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Buccaneer: The Pursuit of Infamy_is1" = Buccaneer 1.2
"CCleaner" = CCleaner
"Civilization II Multiplayer Gold Edition" = Civilization II Multiplayer Gold Edition
"Easy CD-DA Extractor 15" = Easy CD-DA Extractor 15
"FairUse Wizard 2" = FairUse Wizard 2
"Gothic 2 Gold_is1" = Gothic 2 Gold
"HP Photo & Imaging" = HP Image Zone 4.7
"ie8" = Windows Internet Explorer 8
"InstallShield_{AFCE4D19-D385-4232-9B0E-809D85A25A10}" = NETGEAR WN111 wireless USB 2.0 adapter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"N360" = Norton 360
"NVIDIA Drivers" = NVIDIA Drivers
"PowerISO" = PowerISO
"SharpDriver" = Sharp USB Driver
"Temple of Elemental Evil_is1" = Temple of Elemental Evil
"VLC media player" = VLC media player 1.1.11
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
[color=#E56717]========== HKEY_CURRENT_USER Uninstall List ==========[/color]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{64893225-ADBA-469E-B114-F3B2C1FBBA77}" = RTKXI
[color=#E56717]========== Last 10 Event Log Errors ==========[/color]
[ Application Events ]
Error - 9/2/2011 12:02:01 PM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
Description = Faulting application toee.exe, version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.6055, fault address 0x00019af2.
Error - 9/4/2011 9:06:01 AM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
Description = Faulting application gothic3.exe, version 1.52.25931.0, faulting module
game.dll, version 1.52.25931.0, fault address 0x00051688.
Error - 9/7/2011 1:25:10 PM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
Description = Faulting application gothic3.exe, version 1.52.25931.0, faulting module
game.dll, version 1.52.25931.0, fault address 0x00051688.
Error - 9/11/2011 12:41:24 PM | Computer Name = COMPUTER_1 | Source = Application Hang | ID = 1002
Description = Hanging application Gothic3.exe, version 1.52.25931.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 9/11/2011 1:00:16 PM | Computer Name = COMPUTER_1 | Source = Application Hang | ID = 1001
Description = Fault bucket 593604291.
Error - 9/11/2011 8:15:37 PM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
Description = Faulting application gothic3.exe, version 1.52.25931.0, faulting module
engine.dll, version 1.52.25931.0, fault address 0x004e1a35.
Error - 9/12/2011 10:06:39 PM | Computer Name = COMPUTER_1 | Source = Application Hang | ID = 1002
Description = Hanging application Gothic3.exe, version 1.52.25931.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 9/26/2011 10:20:22 PM | Computer Name = COMPUTER_1 | Source = MsiInstaller | ID = 11330
Description = Product: Driver Detective -- Error 1330.A file that is required cannot
be installed because the cabinet file C:\WINDOWS\Installer\MSICA.tmp has an invalid
digital signature. This may indicate that the cabinet file is corrupt. Error 266
was returned by WinVerifyTrust.
Error - 9/27/2011 3:00:37 PM | Computer Name = COMPUTER_1 | Source = MsiInstaller | ID = 11330
Description = Product: Driver Detective -- Error 1330.A file that is required cannot
be installed because the cabinet file C:\WINDOWS\Installer\MSI2A.tmp has an invalid
digital signature. This may indicate that the cabinet file is corrupt. Error 266
was returned by WinVerifyTrust.
Error - 9/27/2011 9:03:37 PM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
Description = Faulting application gothic3.exe, version 1.52.25931.0, faulting module
engine.dll, version 1.52.25931.0, fault address 0x004e6c02.
[ System Events ]
Error - 10/17/2011 9:04:35 PM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0014D1671A97. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.
Error - 10/18/2011 9:42:02 AM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0014D1671A97. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.
Error - 10/18/2011 12:00:23 PM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0014D1671A97. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.
Error - 10/18/2011 1:12:19 PM | Computer Name = COMPUTER_1 | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{9709EC0F-FCC2-4F7F-97D5-338663FB28B7}
because another computer on the network has the same name. The server could not
start.
Error - 10/18/2011 1:58:16 PM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0014D1671A97. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.
Error - 10/18/2011 2:10:41 PM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0014D1671A97. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.
Error - 10/18/2011 2:47:27 PM | Computer Name = COMPUTER_1 | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{9709EC0F-FCC2-4F7F-97D5-338663FB28B7}
because another computer on the network has the same name. The server could not
start.
Error - 10/18/2011 8:10:33 PM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.3 for the Network Card with network
address 001E2AB1C5D5 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).
Error - 10/20/2011 8:27:09 PM | Computer Name = COMPUTER_1 | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0014D1671A97. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.
Error - 10/21/2011 10:10:02 AM | Computer Name = COMPUTER_1 | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{9709EC0F-FCC2-4F7F-97D5-338663FB28B7}
because another computer on the network has the same name. The server could not
start.
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
[u]Antivirus/Firewall Check:[/u]
Windows Firewall Disabled!
Norton 360
Antivirus up to date!
```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u]
Malwarebytes' Anti-Malware
CCleaner
Adobe Flash Player 11.0.1.152
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u]
``````````End of Log````````````
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=7b091b1157c69e40a96280eaa79dd9be
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-11-02 06:04:55
# local_time=2011-11-02 02:04:55 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777174 100 84 0 70833191 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
Please help. Thanks! | |
 lilhurricaneCrunchin' For CuresPremium,Mod
join:2003-01-11
Purple Zone
kudos:51
 ·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
| said by plinkerman :I tried to post to Security Cleanup thread, but could not find a post link.
You posted fine.. 
Can you please add here the log from TDSSKiller? (use "post reply" button below) | | |
|
 LoPhatPhuudPremium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23
·Comcast
| reply to plinkerman
A quick scan show nothing glaring.
Please post the TDSS log that LilHurricane requested.
Also, check your router and firewall settings to make sure the blocking issue is not there.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum | |
| reply to lilhurricane
Thanks guys. By the way, if it was the firewall it wouldn't freeze every 5-10 seconds, would it?
Again much thanks. Here it is:
12:17:27.0875 0368 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
12:17:27.0984 0368 ============================================================
12:17:27.0984 0368 Current date / time: 2011/11/02 12:17:27.0984
12:17:27.0984 0368 SystemInfo:
12:17:27.0984 0368
12:17:27.0984 0368 OS Version: 5.1.2600 ServicePack: 3.0
12:17:27.0984 0368 Product type: Workstation
12:17:27.0984 0368 ComputerName: COMPUTER_1
12:17:27.0984 0368 UserName: Daddy
12:17:27.0984 0368 Windows directory: C:\WINDOWS
12:17:27.0984 0368 System windows directory: C:\WINDOWS
12:17:27.0984 0368 Processor architecture: Intel x86
12:17:27.0984 0368 Number of processors: 2
12:17:27.0984 0368 Page size: 0x1000
12:17:27.0984 0368 Boot type: Normal boot
12:17:27.0984 0368 ============================================================
12:17:37.0921 0368 Initialize success
12:17:41.0125 3104 ============================================================
12:17:41.0125 3104 Scan started
12:17:41.0125 3104 Mode: Manual;
12:17:41.0125 3104 ============================================================
12:17:41.0687 3104 Abiosdsk - ok
12:17:41.0703 3104 abp480n5 - ok
12:17:41.0781 3104 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:17:41.0781 3104 ACPI - ok
12:17:41.0968 3104 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:17:41.0968 3104 ACPIEC - ok
12:17:42.0046 3104 adpu160m - ok
12:17:42.0109 3104 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:17:42.0109 3104 aec - ok
12:17:42.0218 3104 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
12:17:42.0218 3104 AegisP - ok
12:17:42.0375 3104 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:17:42.0375 3104 AFD - ok
12:17:42.0406 3104 Aha154x - ok
12:17:42.0515 3104 aic78u2 - ok
12:17:42.0531 3104 aic78xx - ok
12:17:42.0546 3104 AliIde - ok
12:17:42.0562 3104 amsint - ok
12:17:42.0625 3104 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:17:42.0625 3104 Arp1394 - ok
12:17:42.0640 3104 asc - ok
12:17:42.0750 3104 asc3350p - ok
12:17:42.0781 3104 asc3550 - ok
12:17:42.0828 3104 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:17:42.0828 3104 AsyncMac - ok
12:17:42.0906 3104 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:17:42.0906 3104 atapi - ok
12:17:43.0015 3104 Atdisk - ok
12:17:43.0093 3104 atksgt (e46d344412d1abc60c58e95c73bcdc70) C:\WINDOWS\system32\DRIVERS\atksgt.sys
12:17:43.0093 3104 atksgt - ok
12:17:43.0187 3104 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:17:43.0187 3104 Atmarpc - ok
12:17:43.0312 3104 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:17:43.0312 3104 audstub - ok
12:17:43.0421 3104 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:17:43.0421 3104 Beep - ok
12:17:43.0468 3104 bfa689f (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2674457099:4094007136.exe
12:17:43.0484 3104 Suspicious file (Hidden): C:\WINDOWS\2674457099:4094007136.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
12:17:43.0484 3104 bfa689f ( Rootkit.Win32.PMax.gen ) - infected
12:17:43.0484 3104 bfa689f - detected Rootkit.Win32.PMax.gen (0)
12:17:43.0671 3104 BHDrvx86 (fe57ab6683f48264d1cd36f5d5ee95a8) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys
12:17:43.0671 3104 BHDrvx86 - ok
12:17:43.0828 3104 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:17:43.0843 3104 cbidf2k - ok
12:17:43.0875 3104 cd20xrnt - ok
12:17:43.0937 3104 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:17:43.0937 3104 Cdaudio - ok
12:17:43.0984 3104 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:17:43.0984 3104 Cdfs - ok
12:17:44.0187 3104 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:17:44.0187 3104 Cdrom - ok
12:17:44.0250 3104 Changer - ok
12:17:44.0265 3104 CmdIde - ok
12:17:44.0312 3104 Cpqarray - ok
12:17:44.0328 3104 dac2w2k - ok
12:17:44.0343 3104 dac960nt - ok
12:17:44.0406 3104 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:17:44.0406 3104 Disk - ok
12:17:44.0484 3104 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:17:44.0515 3104 dmboot - ok
12:17:44.0656 3104 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:17:44.0656 3104 dmio - ok
12:17:44.0703 3104 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:17:44.0703 3104 dmload - ok
12:17:44.0875 3104 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:17:44.0890 3104 DMusic - ok
12:17:44.0953 3104 dpti2o - ok
12:17:45.0015 3104 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:17:45.0015 3104 drmkaud - ok
12:17:45.0125 3104 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
12:17:45.0125 3104 eeCtrl - ok
12:17:45.0171 3104 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
12:17:45.0171 3104 EraserUtilRebootDrv - ok
12:17:45.0343 3104 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:17:45.0343 3104 Fastfat - ok
12:17:45.0390 3104 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
12:17:45.0390 3104 Fdc - ok
12:17:45.0406 3104 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:17:45.0406 3104 Fips - ok
12:17:45.0562 3104 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
12:17:45.0562 3104 Flpydisk - ok
12:17:45.0640 3104 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
12:17:45.0640 3104 FltMgr - ok
12:17:45.0734 3104 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:17:45.0734 3104 Fs_Rec - ok
12:17:45.0812 3104 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:17:45.0812 3104 Ftdisk - ok
12:17:45.0968 3104 GEARAspiWDM (5ae3a887ece5bbb72cfab273c2fd1cfa) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
12:17:45.0968 3104 GEARAspiWDM - ok
12:17:46.0109 3104 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:17:46.0109 3104 Gpc - ok
12:17:46.0203 3104 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:17:46.0203 3104 HDAudBus - ok
12:17:46.0328 3104 hpn - ok
12:17:46.0375 3104 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:17:46.0375 3104 HPZid412 - ok
12:17:46.0437 3104 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:17:46.0437 3104 HPZipr12 - ok
12:17:46.0546 3104 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:17:46.0546 3104 HPZius12 - ok
12:17:46.0640 3104 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:17:46.0656 3104 HTTP - ok
12:17:46.0765 3104 i2omgmt - ok
12:17:46.0781 3104 i2omp - ok
12:17:46.0843 3104 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:17:46.0843 3104 i8042prt - ok
12:17:47.0015 3104 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
12:17:47.0046 3104 ialm - ok
12:17:47.0265 3104 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111028.030\IDSxpx86.sys
12:17:47.0265 3104 IDSxpx86 - ok
12:17:47.0421 3104 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:17:47.0421 3104 Imapi - ok
12:17:47.0453 3104 ini910u - ok
12:17:47.0640 3104 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
12:17:47.0671 3104 IntcAzAudAddService - ok
12:17:47.0859 3104 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:17:47.0859 3104 IntelIde - ok
12:17:47.0968 3104 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:17:47.0968 3104 intelppm - ok
12:17:48.0015 3104 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
12:17:48.0015 3104 Ip6Fw - ok
12:17:48.0093 3104 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:17:48.0093 3104 IpFilterDriver - ok
12:17:48.0218 3104 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:17:48.0218 3104 IpInIp - ok
12:17:48.0312 3104 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:17:48.0312 3104 IpNat - ok
12:17:48.0437 3104 IPSec (41f8fc170a729b9bbbd7ba37e2db0850) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:17:48.0437 3104 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 41f8fc170a729b9bbbd7ba37e2db0850, Fake md5: 23c74d75e36e7158768dd63d92789a91
12:17:48.0437 3104 IPSec ( Rootkit.Win32.ZAccess.aml ) - infected
12:17:48.0437 3104 IPSec - detected Rootkit.Win32.ZAccess.aml (0)
12:17:48.0468 3104 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:17:48.0468 3104 IRENUM - ok
12:17:48.0562 3104 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:17:48.0562 3104 isapnp - ok
12:17:48.0671 3104 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:17:48.0671 3104 Kbdclass - ok
12:17:48.0734 3104 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:17:48.0734 3104 kmixer - ok
12:17:48.0812 3104 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:17:48.0828 3104 KSecDD - ok
12:17:48.0937 3104 lbrtfdc - ok
12:17:49.0000 3104 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
12:17:49.0000 3104 lirsgt - ok
12:17:49.0062 3104 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:17:49.0062 3104 mnmdd - ok
12:17:49.0203 3104 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:17:49.0203 3104 Modem - ok
12:17:49.0281 3104 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:17:49.0281 3104 Mouclass - ok
12:17:49.0421 3104 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:17:49.0421 3104 MountMgr - ok
12:17:49.0437 3104 mraid35x - ok
12:17:49.0515 3104 MRVW245 (513179a0e168b4d4cc6ff302b9c27568) C:\WINDOWS\system32\DRIVERS\MRVW245.sys
12:17:49.0531 3104 MRVW245 - ok
12:17:49.0687 3104 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:17:49.0687 3104 MRxDAV - ok
12:17:49.0875 3104 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:17:49.0890 3104 MRxSmb - ok
12:17:50.0031 3104 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:17:50.0046 3104 Msfs - ok
12:17:50.0093 3104 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:17:50.0093 3104 MSKSSRV - ok
12:17:50.0125 3104 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:17:50.0125 3104 MSPCLOCK - ok
12:17:50.0140 3104 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:17:50.0140 3104 MSPQM - ok
12:17:50.0312 3104 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:17:50.0312 3104 mssmbios - ok
12:17:50.0421 3104 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:17:50.0421 3104 Mup - ok
12:17:50.0625 3104 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111031.020\NAVENG.SYS
12:17:50.0625 3104 NAVENG - ok
12:17:50.0765 3104 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20111031.020\NAVEX15.SYS
12:17:50.0812 3104 NAVEX15 - ok
12:17:50.0968 3104 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:17:50.0968 3104 NDIS - ok
12:17:51.0031 3104 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:17:51.0031 3104 NdisTapi - ok
12:17:51.0171 3104 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:17:51.0171 3104 Ndisuio - ok
12:17:51.0203 3104 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:17:51.0203 3104 NdisWan - ok
12:17:51.0343 3104 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:17:51.0343 3104 NDProxy - ok
12:17:51.0453 3104 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:17:51.0453 3104 NetBIOS - ok
12:17:51.0562 3104 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:17:51.0562 3104 NetBT - ok
12:17:51.0703 3104 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:17:51.0703 3104 NIC1394 - ok
12:17:51.0828 3104 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:17:51.0828 3104 Npfs - ok
12:17:51.0968 3104 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:17:51.0984 3104 Ntfs - ok
12:17:52.0156 3104 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:17:52.0156 3104 Null - ok
12:17:52.0453 3104 nv (9f4384aa43548ddd438f7b7825d11699) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:17:52.0703 3104 nv - ok
12:17:52.0828 3104 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:17:52.0828 3104 NwlnkFlt - ok
12:17:52.0890 3104 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:17:52.0890 3104 NwlnkFwd - ok
12:17:52.0937 3104 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:17:52.0937 3104 ohci1394 - ok
12:17:53.0109 3104 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:17:53.0109 3104 Parport - ok
12:17:53.0140 3104 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:17:53.0140 3104 PartMgr - ok
12:17:53.0203 3104 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:17:53.0203 3104 ParVdm - ok
12:17:53.0343 3104 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:17:53.0343 3104 PCI - ok
12:17:53.0359 3104 PCIDump - ok
12:17:53.0406 3104 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
12:17:53.0406 3104 PCIIde - ok
12:17:53.0531 3104 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:17:53.0531 3104 Pcmcia - ok
12:17:53.0578 3104 PDCOMP - ok
12:17:53.0593 3104 PDFRAME - ok
12:17:53.0609 3104 PDRELI - ok
12:17:53.0625 3104 PDRFRAME - ok
12:17:53.0640 3104 perc2 - ok
12:17:53.0656 3104 perc2hib - ok
12:17:53.0734 3104 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:17:53.0734 3104 PptpMiniport - ok
12:17:53.0921 3104 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:17:53.0921 3104 PSched - ok
12:17:54.0031 3104 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:17:54.0031 3104 Ptilink - ok
12:17:54.0062 3104 ql1080 - ok
12:17:54.0078 3104 Ql10wnt - ok
12:17:54.0093 3104 ql12160 - ok
12:17:54.0109 3104 ql1240 - ok
12:17:54.0125 3104 ql1280 - ok
12:17:54.0156 3104 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:17:54.0156 3104 RasAcd - ok
12:17:54.0250 3104 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:17:54.0265 3104 Rasl2tp - ok
12:17:54.0343 3104 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:17:54.0343 3104 RasPppoe - ok
12:17:54.0437 3104 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:17:54.0437 3104 Raspti - ok
12:17:54.0562 3104 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:17:54.0562 3104 Rdbss - ok
12:17:54.0671 3104 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:17:54.0671 3104 RDPCDD - ok
12:17:54.0843 3104 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:17:54.0843 3104 rdpdr - ok
12:17:54.0906 3104 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:17:54.0906 3104 RDPWD - ok
12:17:55.0062 3104 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:17:55.0062 3104 redbook - ok
12:17:55.0140 3104 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
12:17:55.0140 3104 rtl8139 - ok
12:17:55.0265 3104 rtl8185 (53afd9efc645c5457a3d8ddd7a441340) C:\WINDOWS\system32\DRIVERS\rtl8185.sys
12:17:55.0281 3104 rtl8185 - ok
12:17:55.0437 3104 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
12:17:55.0437 3104 SCDEmu - ok
12:17:55.0515 3104 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:17:55.0515 3104 Secdrv - ok
12:17:55.0671 3104 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
12:17:55.0671 3104 Serial - ok
12:17:55.0750 3104 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) C:\WINDOWS\system32\drivers\sfdrv01.sys
12:17:55.0750 3104 sfdrv01 - ok
12:17:55.0859 3104 sfhlp02 (ecefb59d2206d281e6d317af0ea0d8bd) C:\WINDOWS\system32\drivers\sfhlp02.sys
12:17:55.0859 3104 sfhlp02 - ok
12:17:55.0921 3104 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:17:55.0921 3104 Sfloppy - ok
12:17:56.0046 3104 sfsync04 (05e3038180cd846b0bca0e915163606a) C:\WINDOWS\system32\drivers\sfsync04.sys
12:17:56.0046 3104 sfsync04 - ok
12:17:56.0156 3104 sfvfs02 (d5a7e09d2c6a702809e49190d52adc9f) C:\WINDOWS\system32\drivers\sfvfs02.sys
12:17:56.0156 3104 sfvfs02 - ok
12:17:56.0203 3104 Simbad - ok
12:17:56.0218 3104 Sparrow - ok
12:17:56.0265 3104 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:17:56.0265 3104 splitter - ok
12:17:56.0375 3104 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:17:56.0375 3104 sr - ok
12:17:56.0500 3104 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSP.SYS
12:17:56.0500 3104 SRTSP - ok
12:17:56.0656 3104 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
12:17:56.0656 3104 SRTSPX - ok
12:17:56.0734 3104 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:17:56.0750 3104 Srv - ok
12:17:56.0906 3104 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:17:56.0906 3104 swenum - ok
12:17:56.0968 3104 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:17:56.0968 3104 swmidi - ok
12:17:57.0078 3104 symc810 - ok
12:17:57.0156 3104 symc8xx - ok
12:17:57.0265 3104 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
12:17:57.0281 3104 SymDS - ok
12:17:57.0421 3104 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
12:17:57.0453 3104 SymEFA - ok
12:17:57.0609 3104 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
12:17:57.0609 3104 SymEvent - ok
12:17:57.0671 3104 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
12:17:57.0671 3104 SymIRON - ok
12:17:57.0828 3104 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS
12:17:57.0828 3104 SYMTDI - ok
12:17:57.0890 3104 sym_hi - ok
12:17:57.0953 3104 sym_u3 - ok
12:17:58.0015 3104 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:17:58.0015 3104 sysaudio - ok
12:17:58.0125 3104 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:17:58.0156 3104 Tcpip - ok
12:17:58.0281 3104 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:17:58.0281 3104 TDPIPE - ok
12:17:58.0390 3104 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:17:58.0390 3104 TDTCP - ok
12:17:58.0468 3104 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:17:58.0468 3104 TermDD - ok
12:17:58.0640 3104 TosIde - ok
12:17:58.0796 3104 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:17:58.0812 3104 Udfs - ok
12:17:58.0828 3104 ultra - ok
12:17:58.0890 3104 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:17:58.0921 3104 Update - ok
12:17:59.0031 3104 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:17:59.0031 3104 usbccgp - ok
12:17:59.0109 3104 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:17:59.0109 3104 usbehci - ok
12:17:59.0265 3104 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:17:59.0265 3104 usbhub - ok
12:17:59.0359 3104 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:17:59.0359 3104 usbprint - ok
12:17:59.0421 3104 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:17:59.0421 3104 usbscan - ok
12:17:59.0468 3104 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:17:59.0468 3104 usbstor - ok
12:17:59.0593 3104 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:17:59.0593 3104 usbuhci - ok
12:17:59.0656 3104 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:17:59.0656 3104 VgaSave - ok
12:17:59.0687 3104 ViaIde - ok
12:17:59.0843 3104 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:17:59.0843 3104 VolSnap - ok
12:17:59.0906 3104 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:17:59.0906 3104 Wanarp - ok
12:18:00.0015 3104 WDICA - ok
12:18:00.0046 3104 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:18:00.0046 3104 wdmaud - ok
12:18:00.0171 3104 WLNdis50 (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys
12:18:00.0171 3104 WLNdis50 - ok
12:18:00.0296 3104 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:18:00.0437 3104 \Device\Harddisk0\DR0 - ok
12:18:00.0453 3104 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk5\DR6
12:18:00.0453 3104 \Device\Harddisk5\DR6 - ok
12:18:00.0484 3104 Boot (0x1200) (ce55fe2f43291c73699488ff6f2f7634) \Device\Harddisk0\DR0\Partition0
12:18:00.0484 3104 \Device\Harddisk0\DR0\Partition0 - ok
12:18:00.0484 3104 Boot (0x1200) (64289b240cf4cae5179c119011a2a3ad) \Device\Harddisk5\DR6\Partition0
12:18:00.0500 3104 \Device\Harddisk5\DR6\Partition0 - ok
12:18:00.0500 3104 ============================================================
12:18:00.0500 3104 Scan finished
12:18:00.0500 3104 ============================================================
12:18:00.0515 2348 Detected object count: 2
12:18:00.0515 2348 Actual detected object count: 2
12:18:45.0109 2348 HKLM\SYSTEM\ControlSet001\services\bfa689f - will be deleted on reboot
12:18:45.0109 2348 HKLM\SYSTEM\ControlSet002\services\bfa689f - will be deleted on reboot
12:18:45.0109 2348 C:\WINDOWS\2674457099:4094007136.exe - will be deleted on reboot
12:18:45.0109 2348 bfa689f ( Rootkit.Win32.PMax.gen ) - User select action: Delete
12:18:45.0859 2348 Backup copy found, using it..
12:18:46.0000 2348 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot
12:18:46.0000 2348 IPSec ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure
12:18:57.0687 1208 Deinitialize success | |
LoPhatPhuudPremium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23 Reviews:
·Comcast
| reply to plinkerman
Download ComboFix from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.infospyware.net/antimalware/combofix/
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum | |
| I downloaded, installed, and ran ComboFix . It gave me a message that a ZeroAccess rootkit was in the TCP/IP stack. It is still blocking apps that download through other methods than http. It is still blocking rights on some system functions and antivirus programs.
Here is the log file:
ComboFix 11-11-03.05 - Daddy 11/03/2011 22:37:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2551.2226 [GMT -4:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Daddy\Start Menu\Programs\Startup\Shortcut to wn111.exe.lnk
c:\documents and settings\Daddy\WINDOWS
c:\windows\$NtUninstallKB40090$
c:\windows\$NtUninstallKB40090$\200960159\@
c:\windows\$NtUninstallKB40090$\200960159\L\iieeiaid
c:\windows\$NtUninstallKB40090$\200960159\loader.tlb
c:\windows\$NtUninstallKB40090$\200960159\U\@00000001
c:\windows\$NtUninstallKB40090$\200960159\U\@000000c0
c:\windows\$NtUninstallKB40090$\200960159\U\@000000cb
c:\windows\$NtUninstallKB40090$\200960159\U\@000000cf
c:\windows\$NtUninstallKB40090$\200960159\U\@80000000
c:\windows\$NtUninstallKB40090$\200960159\U\@800000c0
c:\windows\$NtUninstallKB40090$\200960159\U\@800000cb
c:\windows\$NtUninstallKB40090$\200960159\U\@800000cf
c:\windows\$NtUninstallKB40090$\40791424
c:\windows\system32\
J:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-10-04 to 2011-11-04 )))))))))))))))))))))))))))))))
.
.
2011-11-02 23:43 . 2011-11-02 23:43 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-11-02 18:02 . 2011-11-02 18:02 -------- d-----w- c:\program files\ESET
2011-11-02 15:23 . 2011-11-02 15:23 -------- d-----w- c:\program files\Trend Micro
2011-11-01 22:28 . 2011-11-02 00:28 -------- d-----w- c:\documents and settings\Administrator
2011-11-01 21:35 . 2011-11-01 21:35 -------- d-----w- c:\documents and settings\Daddy\Local Settings\Application Data\Symantec
2011-11-01 02:46 . 2011-11-01 02:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-01 02:25 . 2011-11-01 02:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-01 02:19 . 2011-11-01 02:19 -------- d-sh--w- c:\documents and settings\Daddy\Local Settings\Application Data\0bfa689f
2011-11-01 01:54 . 2006-02-07 19:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-11-01 01:54 . 2006-02-07 19:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-11-01 01:54 . 2006-02-07 19:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-11-01 01:54 . 2006-02-07 19:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-11-01 01:54 . 2011-11-01 01:54 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-11-01 01:54 . 2011-11-01 01:54 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-11-01 01:12 . 2011-11-01 01:34 -------- d-----w- c:\program files\Buccaneer - The Pursuit OF Infamy
2011-10-28 14:28 . 2011-10-28 14:28 -------- d-----w- c:\program files\WMV9_VCM
2011-10-28 14:25 . 2007-03-15 20:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2011-10-28 14:25 . 2007-03-12 20:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2011-10-28 14:25 . 2007-03-12 20:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2011-10-28 14:25 . 2007-01-24 19:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll
2011-10-28 14:25 . 2006-12-08 16:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2011-10-28 14:25 . 2007-03-05 16:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2011-10-28 14:25 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2011-10-28 14:25 . 2006-09-28 20:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2011-10-28 14:25 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-10-28 14:05 . 2011-10-28 14:05 -------- d-----w- c:\windows\Logs
2011-10-18 13:25 . 2011-10-18 13:25 -------- d-----w- c:\documents and settings\Daddy\Application Data\Image Zone Express
2011-10-13 17:30 . 2011-10-13 20:54 -------- d-----w- c:\documents and settings\Ryan
2011-10-13 15:19 . 2011-10-13 15:19 -------- d-----w- c:\documents and settings\Stuart
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-02 16:19 . 2008-04-13 23:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-01 02:24 . 2008-05-16 18:01 159812 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-29 00:05 . 2011-09-02 16:14 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2011-10-29 00:05 . 2011-09-02 16:14 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2011-10-09 11:29 . 2011-08-24 22:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-14 04:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 00:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2011-09-02 09:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-29 01:55 . 2011-08-29 01:55 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-29 01:55 . 2011-08-29 01:55 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-28 00:38 . 2011-08-28 00:38 65536 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\NewShortcut7_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-28 00:38 . 2011-08-28 00:38 65536 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\NewShortcut4_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-28 00:38 . 2011-08-28 00:38 65536 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\Manual_UK_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-28 00:38 . 2011-08-28 00:38 65536 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\Manual_FR_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-28 00:38 . 2011-08-28 00:38 65536 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\Manual_DE_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-28 00:38 . 2011-08-28 00:38 45056 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\S11Launcher.exeE_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-28 00:38 . 2011-08-28 00:38 45056 ----a-r- c:\documents and settings\Daddy\Application Data\Microsoft\Installer\{64893225-ADBA-469E-B114-F3B2C1FBBA77}\S11Launcher.exe_64893225ADBA469EB114F3B2C1FBBA77.exe
2011-08-24 15:39 . 2011-08-24 15:39 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-08-22 23:48 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-14 04:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 23:48 . 2008-04-14 04:41 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 11:56 . 2008-04-13 23:07 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-13 23:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-01 00:34 . 2011-08-24 17:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1492456]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 23:40 1492456 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1492456]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1492456]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\Utilities\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2011-05-17 23:40 395240 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Buccaneer - The Pursuit OF Infamy\\T3D.exe"=
"c:\\Games\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Games\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Games\\Neverwinter Nights 2\\nwn2server.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [8/28/2011 9:55 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [8/28/2011 9:55 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/2011 7:10 PM 818808]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [8/28/2011 9:55 PM 136312]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [8/24/2011 11:39 AM 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2011 7:25 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111028.030\IDSXpx86.sys [10/28/2011 9:20 PM 356280]
S2 EraserSvc11113;Symantec Eraser Service;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [8/28/2011 9:55 PM 130008]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [8/28/2011 9:55 PM 130008]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-421PC_TEW-423PI\WLSVC.exe [8/24/2011 11:39 AM 167936]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 23:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.2.1 74.128.19.102 74.128.17.114
FF - ProfilePath - c:\documents and settings\Daddy\Application Data\Mozilla\Firefox\Profiles\z93ptgh3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-36504566.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2011-11-03 22:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1547161642-682003330-1644491937-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2011-11-03 22:50:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-04 02:50
.
Pre-Run: 15,869,263,872 bytes free
Post-Run: 15,973,158,912 bytes free
.
- - End Of File - - 9B4FED28674720D7B7FA2F450DE80175
Again. Thank you for helping me! | |
LoPhatPhuudPremium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23 Reviews:
·Comcast
| reply to plinkerman
Lets see if we can get rid of the rootkit. I'll check the Combofix log while you are doing this.
Download and run Sophos AntiRootkit. Post the log in this thread, even if nothing is found.
You find link(s) and instructions here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum | |
| Ok. Downloaded, installed and ran Sophos AntiRootKit
Sarscan.log:
Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 11/5/2011 at 16:27:22 PM
User "Daddy" on computer "COMPUTER_1"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\System Volume Information\_restore{C6DA69C9-97D4-4494-ADFD-0C2362760EE9}\RP48\A0068566.sys
Hidden: file C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\
Hidden: file C:\Program Files\Internet Explorer\
Info: Starting disk scan of J: (NTFS).
Hidden: file J:\Downloads\Audiobooks\Stephen R Covey Audiobook Collection\Stephen R Covey - Focus - Achieving Your Highest Priorities [The NEW Workshop to Help You Focus On and Execute Top Priorities] [3 Hrs 11 Min]\Steven Covey - Focus - Achieving Your Highest Priorities.jpg
Stopped logging on 11/5/2011 at 16:52:40 PM
Sarclean.log:
SophosBootTasks version 1.5.20 initialising
Processing tasks
Reading information for task 0
Deleting file \Device\HarddiskVolume1\System Volume Information\_restore{C6DA69C9-97D4-4494-ADFD-0C2362760EE9}\RP48\A0068566.sys
Reading information for task 1
Deleting file \Device\HarddiskVolume1\Program Files\TRENDnet\TEW-421PC_TEW-423PI\
Reading information for task 2
Deleting file \Device\HarddiskVolume1\Program Files\Internet Explorer\
Reading information for task 3
Deleting file \Device\HarddiskVolume2\Downloads\Audiobooks\Stephen R Covey Audiobook Collection\Stephen R Covey - Focus - Achieving Your Highest Priorities [The NEW Workshop to Help You Focus On and Execute Top Priorities] [3 Hrs 11 Min]\Steven Covey - Focus - Achieving Your Highest Priorities.jpg
Error resetting read only attribute (0xC000003A)
ActionBootTasks completed
SophosBootTasks completed
I went ahead and removed the things that were found. Software can be reinstalled and one system restore file doesn't matter, if the TCP/IP stack is infected.
Thank you for your time and patience with this problem.plinkerman | |
LoPhatPhuudPremium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23 Reviews:
·Comcast
1 edit | reply to plinkerman
There are a couple of infected files still on your system that nothing is removing so far. At least on affects the TCP/IP Stack. The OTL logs show mswsock.dll missing, and it may be corrupted as well. Also, IPsec file is corrputed.
At this point, it's guess work as to how much has actually be infected. The only recommendation I can make that will give you a stable system is to reformat and reload.
Make sure you back up all your pertinent data first.
Sorry it did not turn out better.
Addendum:
You may want to read this article by our own CalamityJane. It amy help to explain why I recommend reformatting.
»Security Cleanup FAQ »Noteworthy Comments About Compromised Computers | |
| I kind of figured it would come to that. Thanks a lot for your help. May your next case be much easier. | |
|
