site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security Cleanup > [Rootkit] Rootkit computer 2

Search Topic:
 Uniqs:
1352		 Share Topic
Posting?
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean ·Site IMs ·VundoFix ·Zlob/Smitfraud ·SCU Helpers
AuthorAll Replies

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

[Rootkit] Rootkit computer 2

Hello, I spoke with LH earlier and she told me to tell you that I ran TDSS. I ran that yesterday because I was having an issue running mbam and it found "Backdoor.Win32.Sinowal.knf. I ran the cure and rebooted and ran it again and it showed nothing...it produced no log file (sorry). So, today I ran gmer to see if it found anything else and it found this: type: disk, name: device\harddisk0\DR0 and value: malicious win32:MBRoot code @ sector 156296388.
I have all the logs for this computer...here they go:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.30.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
slayerman1 :: MASTER [administrator]

12/30/2011 5:31:29 PM
mbam-log-2011-12-30 (17-31-29).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205839
Time elapsed: 32 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
to forum · permalink · 2011-12-30 21:37:43 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

OTL logfile created on: 12/30/2011 6:41:35 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\slayerman1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.49 Mb Total Physical Memory | 632.98 Mb Available Physical Memory | 61.85% Memory free
2.40 Gb Paging File | 2.14 Gb Available in Paging File | 89.15% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24.41 Gb Total Space | 15.29 Gb Free Space | 62.61% Space Free | Partition Type: NTFS
Drive E: | 50.11 Gb Total Space | 47.07 Gb Free Space | 93.93% Space Free | Partition Type: NTFS
Drive Z: | 74.47 Gb Total Space | 54.35 Gb Free Space | 72.98% Space Free | Partition Type: NTFS

Computer Name: MASTER | User Name: slayerman1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2011/12/30 18:21:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\slayerman1\Desktop\OTL.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/03/14 11:05:02 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2005/03/14 11:05:02 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2011/12/30 09:38:22 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{87F2E821-3C9A-4A5A-9AA4-6BAD520F1CC8}\MpKslf85264e4.sys -- (MpKslf85264e4)
DRV - [2011/12/30 09:02:18 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{87F2E821-3C9A-4A5A-9AA4-6BAD520F1CC8}\MpKsl69d6621d.sys -- (MpKsl69d6621d)
DRV - [2008/04/13 23:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2002/08/28 17:59:12 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
DRV - [2002/07/24 12:52:26 | 000,998,004 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2002/07/19 09:48:32 | 000,156,604 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2002/07/19 09:48:22 | 000,213,860 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2002/07/19 09:48:08 | 000,011,068 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2002/07/19 09:48:04 | 000,195,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2002/07/19 09:47:52 | 000,837,548 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2002/07/19 09:46:28 | 000,127,948 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2001/08/31 08:37:58 | 000,036,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfman.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/14 10:17:52 | 000,775,296 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emu10k1f.sys -- (emu10k) Creative SB Live! series(WDM)
DRV - [2001/07/11 06:34:52 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlface.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [1999/12/17 00:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = »www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Components: E:\Mozilla Thunderbird\components [2011/11/20 14:41:28 | 000,000,000 | ---D | M]

[2011/09/24 11:22:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\slayerman1\Application Data\Mozilla\Extensions

O1 HOSTS File: ([2003/03/31 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O8 - Extra context menu item: E&xport to Microsoft Excel - E:\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} »quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} »windowsupdate.microsoft.com/wind···35599176 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} »download.eset.com/special/eos/On···nner.cab (OnlineScanner Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} »fpdownload2.macromedia.com/get/s···lash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.3 64.233.217.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F117E8C2-F617-4367-9019-6084DFB1035C}: DhcpNameServer = 64.233.217.3 64.233.217.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/09/22 16:28:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2011/12/30 18:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\slayerman1\Application Data\QuickScan
[2011/12/30 18:20:46 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\slayerman1\Desktop\OTL.exe
[2011/12/30 16:49:48 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\slayerman1\Desktop\RootRepeal.exe
[2011/12/30 09:37:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\slayerman1\Recent
[2011/12/29 19:02:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/12/29 16:48:06 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\slayerman1\Desktop\TDSSKiller.exe
[2011/12/29 16:48:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\slayerman1\Local Settings\Application Data\jZip
[2011/12/03 09:45:48 | 003,552,208 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\slayerman1\My Documents\ccsetup313.exe
[2011/09/23 18:09:25 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2011/12/30 18:21:10 | 000,879,683 | ---- | M] () -- C:\Documents and Settings\slayerman1\Desktop\SecurityCheck.exe
[2011/12/30 18:21:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\slayerman1\Desktop\OTL.exe
[2011/12/30 16:49:10 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/30 09:38:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/30 09:38:03 | 000,150,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/30 09:37:29 | 000,029,808 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000F-00001102-00000002-80641102}.rfx
[2011/12/30 09:37:29 | 000,029,808 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000F-00001102-00000002-80641102}.rfx
[2011/12/30 09:37:29 | 000,017,500 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000F-00001102-00000002-80641102}.rfx
[2011/12/30 09:37:29 | 000,017,500 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000F-00001102-00000002-80641102}.rfx
[2011/12/30 09:37:29 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2011/12/30 09:37:29 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2011/12/30 09:37:29 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000F-00001102-00000002-80641102}.dat
[2011/12/30 09:37:29 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000F-00001102-00000002-80641102}.dat
[2011/12/29 15:55:50 | 001,558,406 | ---- | M] () -- C:\Documents and Settings\slayerman1\Desktop\tdsskiller.zip
[2011/12/29 15:49:57 | 000,000,544 | ---- | M] () -- C:\Documents and Settings\slayerman1\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2011/12/27 14:09:16 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/12/23 14:52:26 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\slayerman1\Desktop\TDSSKiller.exe
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/03 09:46:08 | 003,552,208 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\slayerman1\My Documents\ccsetup313.exe

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2011/12/30 18:20:52 | 000,879,683 | ---- | C] () -- C:\Documents and Settings\slayerman1\Desktop\SecurityCheck.exe
[2011/12/30 16:50:03 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\slayerman1\Desktop\gmer.exe
[2011/12/30 09:38:03 | 000,150,792 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/29 15:55:37 | 001,558,406 | ---- | C] () -- C:\Documents and Settings\slayerman1\Desktop\tdsskiller.zip
[2011/12/29 15:49:57 | 000,000,544 | ---- | C] () -- C:\Documents and Settings\slayerman1\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2011/10/08 10:15:59 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\slayerman1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/24 11:18:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/09/23 18:56:36 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000F-00001102-00000002-80641102}.dat
[2011/09/23 18:56:36 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000F-00001102-00000002-80641102}.dat
[2011/09/23 18:09:28 | 000,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2011/09/23 18:09:28 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2011/09/23 18:09:25 | 000,184,320 | ---- | C] () -- C:\WINDOWS\PSCONV.EXE
[2011/09/23 18:09:25 | 000,179,669 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2011/09/23 18:09:25 | 000,164,044 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2011/09/23 18:09:25 | 000,113,373 | ---- | C] () -- C:\WINDOWS\System32\ctbasicw.dat
[2011/09/23 18:09:25 | 000,113,273 | ---- | C] () -- C:\WINDOWS\System32\CTBAS2W.DAT
[2011/09/23 18:09:25 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\KILLAPPS.EXE
[2011/09/23 18:09:25 | 000,044,055 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2011/09/23 18:09:25 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\REGPLIB.EXE
[2011/09/23 18:09:25 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2011/09/22 17:36:10 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2011/09/22 17:32:29 | 000,105,074 | ---- | C] () -- C:\WINDOWS\HPFins09.dat
[2011/09/22 17:32:29 | 000,003,732 | ---- | C] () -- C:\WINDOWS\hpfmdl09.dat
[2011/09/22 17:26:15 | 000,000,036 | ---- | C] () -- C:\WINDOWS\plugSpk.INI
[2011/09/22 17:22:59 | 001,048,576 | ---- | C] () -- C:\WINDOWS\System32\sfman.dat
[2011/09/22 17:22:59 | 000,000,231 | ---- | C] () -- C:\WINDOWS\ac3api.ini
[2011/09/22 17:22:23 | 000,000,129 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2011/09/22 16:31:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/09/22 16:25:32 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/09/22 12:17:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/03/31 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/03/31 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/03/31 07:00:00 | 000,405,342 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/03/31 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/03/31 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/03/31 07:00:00 | 000,054,560 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/03/31 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/03/31 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/03/31 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/03/31 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/03/31 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

[color=#E56717]========== LOP Check ==========[/color]

[2011/09/24 11:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/09/24 09:28:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\slayerman1\Application Data\Auslogics
[2011/12/30 18:22:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\slayerman1\Application Data\QuickScan
[2011/09/24 11:22:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\slayerman1\Application Data\Thunderbird

[color=#E56717]========== Purity Check ==========[/color]

to forum · permalink · 2011-12-30 21:38:25 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

OTL Extras logfile created on: 12/30/2011 6:41:36 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\slayerman1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.49 Mb Total Physical Memory | 632.98 Mb Available Physical Memory | 61.85% Memory free
2.40 Gb Paging File | 2.14 Gb Available in Paging File | 89.15% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24.41 Gb Total Space | 15.29 Gb Free Space | 62.61% Space Free | Partition Type: NTFS
Drive E: | 50.11 Gb Total Space | 47.07 Gb Free Space | 93.93% Space Free | Partition Type: NTFS
Drive Z: | 74.47 Gb Total Space | 54.35 Gb Free Space | 72.98% Space Free | Partition Type: NTFS

Computer Name: MASTER | User Name: slayerman1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]

[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "E:\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "E:\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[color=#E56717]========== System Restore Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0BF5FBE7-3907-4A1F-9E48-8B66E52850D6}" = TrayApp
"{0F40754C-F1FD-43df-B73E-9DA38399CDD6}" = hpf_ProductContext
"{14A67CE0-4F30-4607-885B-43EE27BAC746}" = Readme
"{1E1F1E70-14D8-4380-8652-BD1A895A7D65}" = Status
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{315F5FFC-1A5C-4A2A-B8E7-1C5B1174C198}_is1" = AML Free Registry Cleaner 4.22
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}" = Sound Blaster Live! Web 2K/XP
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{4BE53DB2-C1F2-44D1-A9AB-1630BA7F2AF1}" = SolutionCenter
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7ADE9F27-A175-447F-A4B4-B05FA82735E1}" = HP Deskjet 6900 series
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{87F59A07-55EE-415E-A966-31F3D8B6B7AD}" = LP6940_Help
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8DC6CA16-9B4E-4C10-95EE-2BD91EB0290C}" = LP6940Trb
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C209B30-F71F-4c53-8D26-453208EC8E91}" = dj6940
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{CB1F3886-AE9F-46fb-8325-6B0718989285}" = dj_taplugin
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}" = HP Photosmart Essential
"{DEBB2986-15B0-4D28-95FA-5C966A396589}" = HPProductAssistant
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{EC2715CE-C182-483C-84CC-81D7D914CF14}" = WebReg
"{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}" = HP Software Update
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CCleaner" = CCleaner
"Creative Jukebox Driver" = Creative Jukebox Driver
"Creative NOMAD II Driver" = Creative NOMAD II Driver
"ESET Online Scanner" = ESET Online Scanner v3
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center and Imaging Support Tools 6.0
"ie8" = Windows Internet Explorer 8
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Thunderbird (7.0.1)" = Mozilla Thunderbird (7.0.1)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Display Driver" = NVIDIA Display Driver
"Sound Blaster Live!" = Sound Blaster Live!
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

[color=#E56717]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 9/30/2011 4:10:12 PM | Computer Name = MASTER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/29/2011 9:26:18 PM | Computer Name = MASTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/29/2011 9:26:34 PM | Computer Name = MASTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/30/2011 10:02:12 AM | Computer Name = MASTER | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.101 for the Network Card with network
address 00045A5DC570 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 12/30/2011 10:03:31 AM | Computer Name = MASTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/30/2011 10:35:00 AM | Computer Name = MASTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/30/2011 10:37:18 AM | Computer Name = MASTER | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 12/30/2011 10:37:18 AM | Computer Name = MASTER | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/30/2011 10:37:18 AM | Computer Name = MASTER | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/30/2011 5:49:25 PM | Computer Name = MASTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/30/2011 7:22:41 PM | Computer Name = MASTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

to forum · permalink · 2011-12-30 21:38:46 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
[u]Antivirus/Firewall Check:[/u]
Windows Firewall Disabled!
ESET Online Scanner v3
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u]
CCleaner
AML Free Registry Cleaner 4.22
Adobe Reader X (10.1.1)
Mozilla Thunderbird (7.0.1)
````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u]
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

to forum · permalink · 2011-12-30 21:39:09 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=db5dd1f538f14c45b8848cb1f0f5d1c8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-30 12:40:55
# local_time=2011-12-29 07:40:55 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 87 0 21134808 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=30122
# found=0
# cleaned=0
# scan_time=2117
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=db5dd1f538f14c45b8848cb1f0f5d1c8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-31 12:15:25
# local_time=2011-12-30 07:15:25 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 88 0 21220734 0 0
# compatibility_mode=8192 67108863 100 0 3301 3301 0 0
# scanned=30484
# found=0
# cleaned=0
# scan_time=1061

to forum · permalink · 2011-12-30 21:39:35 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI


QuickScan 32-bit v0.9.9.101
---------------------------
Scan date: Fri Dec 30 18:22:11 2011
Machine ID: E4C2525F

No infection found.
-------------------

Processes
---------
HP PML 1612 C:\WINDOWS\system32\HPZipm12.exe
Microsoft (R) DRM 1696 C:\WINDOWS\system32\MsPMSPSv.exe
Microsoft IntelliPoint 1604 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
Microsoft IntelliPoint 472 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
Microsoft Malware Protection 888 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
Microsoft Security Client 704 C:\Program Files\Microsoft Security Client\msseces.exe
Microsoft® Windows® Operating System 1268 C:\WINDOWS\system32\spoolsv.exe
NVIDIA Driver Helper Service, Version 5 1596 C:\WINDOWS\system32\nvsvc32.exe
(verified) Microsoft® Windows® Operating System 1732 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 220 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 488 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 568 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 556 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 432 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 736 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 800 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 924 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1000 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1092 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1508 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 512 C:\WINDOWS\system32\winlogon.exe
(verified) Windows® Internet Explorer 3916 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 4012 C:\Program Files\Internet Explorer\iexplore.exe

Network activity
----------------
Process iexplore.exe (4012) connected on port 80 (HTTP) --> 69.47.66.192
Process iexplore.exe (4012) connected on port 80 (HTTP) --> 69.47.66.186
Process iexplore.exe (4012) connected on port 80 (HTTP) --> 69.171.224.14
Process iexplore.exe (4012) connected on port 80 (HTTP) --> 74.125.226.239
Process iexplore.exe (4012) connected on port 443 (HTTP over SSL) --> 72.14.204.95

Process svchost.exe (800) listens on ports: 135 (RPC)

Autoruns and critical files
---------------------------
Microsoft IntelliPoint C:\Program Files\Microsoft IntelliPoint\ipoint.exe
Microsoft Security Client C:\Program Files\Microsoft Security Client\msseces.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\CRYPT32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll
Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll
NVIDIA Compatible Windows 2000 Display C:\WINDOWS\System32\NVCPL.DLL
NVIDIA Media Center Library C:\WINDOWS\System32\NvMcTray.dll
NVIDIA nView Wizard, Version 56.55 C:\WINDOWS\system32\nwiz.exe
QuickTime C:\Program Files\QuickTime\qttask.exe
(verified) Microsoft Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\stobject.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

Browser plugins
---------------
AcroIEHelperShim Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
Adobe Acrobat C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll
Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
Flash® Player Installer/Uninstaller C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
Messenger C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows® Operating System C:\WINDOWS\System32\MSWSOCK.DLL
Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll
npitunes.dll E:\iTunes\Mozilla Plugins\npitunes.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
QuickTime Plug-in 7.7.1 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Scan
----
MD5: 65529f1dc10559844df306ff279d01fb C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{87F2E821-3C9A-4A5A-9AA4-6BAD520F1CC8}\mpengine.dll
MD5: a69630d039c38018689190234f866d77 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{87F2E821-3C9A-4A5A-9AA4-6BAD520F1CC8}\MpKsl69d6621d.sys
MD5: a69630d039c38018689190234f866d77 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{87F2E821-3C9A-4A5A-9AA4-6BAD520F1CC8}\MpKslf85264e4.sys
MD5: 163db46b803e4c83c444a026ff17d269 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{87F2E821-3C9A-4A5A-9AA4-6BAD520F1CC8}\offreg.dll
MD5: 198bed114015c2671c88fdc32cdcb21d C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
MD5: 2b81226910f765a9191eb9db93743237 C:\Program Files\Bonjour\mdnsNSP.dll
MD5: 1c87705ccb2f60172b0fc86b5d82f00d C:\Program Files\Bonjour\mDNSResponder.exe
MD5: 6397ea2e883422f04527da68a6941f26 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
MD5: 8c4ac22616e77925135c221c46dc6307 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
MD5: 0cf54607b862bf6cdc7eb21be189be84 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
MD5: 20f6f19fe9e753f2780dc2fa083ad597 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
MD5: 8eb0a2a9040cf4b66690fc80ca355902 C:\Program Files\Internet Explorer\ieproxy.dll
MD5: 198bed114015c2671c88fdc32cdcb21d C:\Program Files\Internet Explorer\plugins\nppdf32.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
MD5: 47c3fa43f99202e2f92efa1eb9bdecf7 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
MD5: 1115eea4ae0da72e416b210adba424a2 C:\Program Files\Internet Explorer\xpshims.dll
MD5: f62c69376a95795fe7cdb1c778edaca4 C:\Program Files\iPod\bin\iPodService.exe
MD5: 3e930c641079443d4de036167a69caa2 C:\Program Files\Messenger\msmsgs.exe
MD5: b7b5218a789b924c1de01cb8497fae31 C:\Program Files\Microsoft IntelliPoint\Components\Commands\dpghnt\dpghnt.dll
MD5: 4d147ea8cdf0700e77f8d9393c9f4265 C:\Program Files\Microsoft IntelliPoint\dpgcmd.dll
MD5: 1aefc7f1beba19b055be502b7c12c1fd C:\Program Files\Microsoft IntelliPoint\dpgmkb.dll
MD5: 3065bbba85e30284a77643745c57c8db C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
MD5: 7a7d4000c9443350383f0fdfb7a1c12e C:\Program Files\Microsoft IntelliPoint\ipoint.exe
MD5: d7b47d16d7ed77f0e44a914d3a8f0326 C:\Program Files\Microsoft IntelliPoint\ipres.dll
MD5: d057af42c556fc785ff465e97625b913 C:\Program Files\Microsoft IntelliPoint\srres.dll
MD5: 12b9c4fa0d4735a1873fed4083b75748 C:\Program Files\Microsoft Security Client\Antimalware\MpClient.Dll
MD5: 32c9e8f42348343d72013165ea86a3c6 C:\Program Files\Microsoft Security Client\Antimalware\MpOAv.dll
MD5: 7a63b08c8e9f3a057a81e3b29d29c407 C:\Program Files\Microsoft Security Client\Antimalware\mprtp.dll
MD5: f614ab3f0af8defe7ad91be2ba483603 C:\Program Files\Microsoft Security Client\Antimalware\MpSvc.dll
MD5: cfce43b70ca0cc4dcc8adb62b792b173 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
MD5: 96e6931ecc73b103b1a00a84416dada9 C:\Program Files\Microsoft Security Client\EppManifest.dll
MD5: d0ebe8f93c70fca792e241ce268bc837 C:\Program Files\Microsoft Security Client\msseces.exe
MD5: af43c4f7f3c8bc95dad95024f96cdc4a C:\Program Files\QuickTime\qttask.exe
MD5: 310c15fd8358b2c4cd7a5b98a112883f C:\WINDOWS\AppPatch\AcGenral.DLL
MD5: 9802b937dd7c102cc5f21e0d0979ce41 C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
MD5: 5865a7993e167a11cedda9dabc705db3 C:\WINDOWS\Downloaded Program Files\qsax.dll
MD5: 93afb83fbc1f9443cac722fca63d73bf C:\WINDOWS\system32\comctl32.dll
MD5: ed0c0df222209e43ad9afbf3fe87dde0 C:\WINDOWS\system32\comsvcs.dll
MD5: 8fcf03e4d7be9b5587ccf11719959006 C:\WINDOWS\system32\corpol.dll
MD5: a90e118f12d355f9946dfb30a8f94609 C:\WINDOWS\system32\CRYPT32.dll
MD5: c14350fc0d47d806699c4f907fc6785b C:\WINDOWS\system32\cryptnet.dll
MD5: 515a7fae2070c2b0242b2353443e2f11 C:\WINDOWS\system32\cscdll.dll
MD5: 2a9e427681169f02274ad8c17d52fa2d C:\WINDOWS\system32\CSRSRV.dll
MD5: 3c8b6609712f4ff78e521f6dcfc4032b C:\WINDOWS\System32\CTsvcCDA.EXE
MD5: 0607cbc6fa20114cb491efe4b2f9efad C:\WINDOWS\system32\d3d9.dll
MD5: 56adb11f7d4d0816c0be1e701c1b5e52 C:\WINDOWS\system32\D3DIM700.DLL
MD5: e2092f0a1d7abc243f9c2362483d150d C:\WINDOWS\System32\dimsntfy.dll
MD5: 389496118b3b03c2328024af320132ac C:\WINDOWS\system32\DNSAPI.dll
MD5: 5f7e24fa9eab896051ffb87f840730d2 c:\windows\system32\dnsrslvr.dll
MD5: 1e44bc1e83d8fd2305f8d452db109cf9 C:\WINDOWS\System32\drivers\afd.sys
MD5: 8fce268cdbdd83b23419d1f35f42c7b1 C:\WINDOWS\System32\DRIVERS\amdk7.sys
MD5: 116bff96077a4a724e0aab800525ceb5 C:\WINDOWS\System32\DRIVERS\AN983.sys
MD5: 4b6096745f72b4fd36514617e2ea5d37 C:\WINDOWS\System32\drivers\ctac32k.sys
MD5: 3576ec792347ed15699f6d830e0f5437 C:\WINDOWS\system32\drivers\ctaud2k.sys
MD5: aadc81e967c25dd7c90e150fec6eab74 C:\WINDOWS\system32\drivers\ctlface.sys
MD5: 71007bd2e1e26927fe3e4eb00c0beedf C:\WINDOWS\System32\DRIVERS\ctljystk.sys
MD5: f29184bdc81c398b6027a67ff6a19895 C:\WINDOWS\system32\drivers\ctoss2k.sys
MD5: 097d42574e3c6d98cd5a2ee7647fa6bf C:\WINDOWS\System32\drivers\ctprxy2k.sys
MD5: c58a2507ef62b20b9bd670c666088b50 C:\WINDOWS\System32\drivers\ctsfm2k.sys
MD5: eac137eb2c92c524cbb91b60f82db27e C:\WINDOWS\system32\drivers\emu10k1f.sys
MD5: a9d94b89372f3f9609a1a5eec631a260 C:\WINDOWS\System32\drivers\emupia2k.sys
MD5: dc9847cdc43665ed4cc780947516209c C:\WINDOWS\system32\drivers\ha10kx2k.sys
MD5: 30ca91e657cede2f95359d6ef186f650 C:\WINDOWS\System32\DRIVERS\HPZid412.sys
MD5: efd31afa752aa7c7bbb57bcbe2b01c78 C:\WINDOWS\System32\DRIVERS\HPZipr12.sys
MD5: 7ac43c38ca8fd7ed0b0a4466f753e06e C:\WINDOWS\System32\DRIVERS\HPZius12.sys
MD5: fee0baded54222e9f1dae9541212aab1 C:\WINDOWS\system32\DRIVERS\MpFilter.sys
MD5: 7d304a5eb4344ebeeab53a2fe3ffb9f0 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
MD5: 0109c4f3850dfbab279542515386ae22 C:\WINDOWS\System32\DRIVERS\ndistapi.sys
MD5: f7c498b494988a2666f283f174118d3a C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
MD5: b4f59a953ef9e507f0d00c3a68580b8b C:\WINDOWS\System32\DRIVERS\point32.sys
MD5: 28b740a66cb88be3d0cd93d5664d7d88 C:\WINDOWS\system32\drivers\sfman.sys
MD5: 47ddfc2f003f7f9f0592c6874962a2e7 C:\WINDOWS\System32\DRIVERS\srv.sys
MD5: f5b754cdea20bbb3a31e16a776ede6d6 c:\windows\system32\ESENT.dll
MD5: e5a93f799298147e169d689969d5c73f C:\WINDOWS\system32\hptcpmib.dll
MD5: e965160b09675e027ef8235ef90eb405 C:\WINDOWS\system32\HpTcpMon.dll
MD5: 219541b30b162b7bd1202a252c56f941 C:\WINDOWS\system32\HPTcpMUI.dll
MD5: 10f23ae633810bbe7fda6999714bf166 C:\WINDOWS\system32\hpz3l43a.dll
MD5: a38b3ce68e7f126190cde4aa3fdf050f C:\WINDOWS\system32\HPZipm12.exe
MD5: b85ec14c7a5f7b2c8d70d4443486dd77 C:\WINDOWS\system32\hpzjrd01.dll
MD5: 0217cd51d55ca3e693a682664d3de2bf C:\WINDOWS\system32\ieframe.dll
MD5: aaf56985933f7d3e953e1b994d22e4f4 C:\WINDOWS\system32\iepeers.dll
MD5: 7cfdeb1560eacad6006d653ec55d12d0 C:\WINDOWS\system32\iertutil.dll
MD5: 0689622e6484934eb6e5f4d3a96311f9 C:\WINDOWS\System32\jscript.dll
MD5: a525c96c51d55111fdf3bea9ffffc7ae C:\WINDOWS\system32\kerberos.dll
MD5: 20fa028cb6506591a99c51432a3c0174 C:\WINDOWS\system32\LangWrbk.dll
MD5: bd31dc6dbe9333c4fbd4bdf0899f2160 C:\WINDOWS\system32\LSASRV.dll
MD5: e9f427ef46965d33e878a507a2f5ccb6 C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx
MD5: 1e744353bd534405187a404667da3dc3 C:\WINDOWS\system32\mgmtapi.dll
MD5: 69a5adf546505f4c69ef3046bf798b49 C:\WINDOWS\system32\MPRUI.dll
MD5: 9e0d70607f833470963672d170bc035d C:\WINDOWS\system32\msfeeds.dll
MD5: 855f6333e3a4dfc6f3c8b0520c261fcd C:\WINDOWS\system32\MSFTEDIT.DLL
MD5: 4963cb503600fc3bcbdbfba51fba1fac C:\WINDOWS\system32\mshtml.dll
MD5: d3f72d50de53f9f1f55240115af4d42e C:\WINDOWS\system32\msi.dll
MD5: 581176f60885aef8f78c6e38dcc3cdf9 C:\WINDOWS\system32\MsPMSPSv.exe
MD5: 943337d786a56729263071623bbb9de5 C:\WINDOWS\System32\MSWSOCK.DLL
MD5: 20fd44370267ccd0a64a1b31861c21d2 C:\WINDOWS\system32\netmsg.dll
MD5: 54be97c55070b7856b54c0d86ff253e5 C:\WINDOWS\system32\NETPLWIZ.dll
MD5: 062f837c1fbdb6a0a75f82efc2ee8e74 c:\windows\system32\netshell.dll
MD5: 1414e666316ca7d9823dbd2d4ada5971 C:\WINDOWS\system32\NETUI2.dll
MD5: f8f0d25ca553e39dde485d8fc7fcce89 C:\WINDOWS\system32\ntdll.dll
MD5: eb976ff9512f9764338754cc0868162f C:\WINDOWS\System32\NVCPL.DLL
MD5: 1ff396d011b0d56e8d9160d8b5d5e7be C:\WINDOWS\System32\NvMcTray.dll
MD5: ae66c916a668e5d0680bb87278485752 C:\WINDOWS\System32\nvshell.dll
MD5: fef864d834c391a13e4b1eefcd9c67c9 C:\WINDOWS\system32\nvsvc32.exe
MD5: ea7b37b0aca0d471629eb92270402322 C:\WINDOWS\system32\nwiz.exe
MD5: 40b0f98bad16ad5def894e88c3ef8014 C:\WINDOWS\system32\ODBC32.dll
MD5: 7a6a7900b5e322763430ba6fd9a31224 C:\WINDOWS\system32\ole32.dll
MD5: 20200ee3cfe10e9f0c028d8653be11c6 C:\WINDOWS\system32\OLEACC.dll
MD5: 1b2be5777f69a71778f52ffee1c798d6 C:\WINDOWS\system32\OLEAUT32.dll
MD5: 2f5532f9b0f903b26847da674b4f55b2 C:\WINDOWS\system32\PfModNT.sys
MD5: d4502f124289a31976130cccb014c9aa C:\WINDOWS\system32\RPCRT4.dll
MD5: 72451fd61ddbb0a1fb071b7c3cde5594 C:\WINDOWS\system32\rsvpsp.dll
MD5: abeedd547e939ad827b2e29dec754206 C:\WINDOWS\system32\schannel.dll
MD5: 26cb10fa893f940ab09713ff46dcdade C:\WINDOWS\system32\SHDOCVW.dll
MD5: e86423aa9aa8c382af02b94a058dc2aa C:\WINDOWS\system32\SHELL32.dll
MD5: 99bc0b50f511924348be19c7c7313bbf C:\WINDOWS\system32\SHSVCS.dll
MD5: c5f00d15aa15cb7f55a027ff75e44bb7 C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
MD5: ea1b063208e4ae322bdf3f2fa235cc9d C:\WINDOWS\System32\spool\PRTPROCS\W32X86\hpzpp43a.dll
MD5: 60784f891563fb1b767f70117fc2428f C:\WINDOWS\system32\spoolsv.exe
MD5: 3a7c3cbe5d96b8ae96ce81f0b22fb527 c:\windows\system32\srvsvc.dll
MD5: 4763ce0b8cf4ca355db2fe6c74675db8 C:\WINDOWS\system32\twext.dll
MD5: 31b6e9e116a3d6f8eb13202c9b5db403 C:\WINDOWS\system32\urlmon.dll
MD5: a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe
MD5: 9e03dc5ab51cfd0190541ce2038d819d C:\WINDOWS\system32\USP10.dll
MD5: 31cf51dcda1424b813cc97b20f71b431 C:\WINDOWS\System32\vbscript.dll
MD5: 1a377838b4b468e37c3eeb5baa24f925 C:\WINDOWS\system32\WININET.dll
MD5: d72b9ec3337b247a666f098f3d6b43de C:\WINDOWS\System32\winrnr.dll
MD5: 95cf3446911a6e25ee4086df8a45b2aa C:\WINDOWS\system32\winsrv.dll
MD5: 2cc34e8bb667eef78899546e12649196 C:\WINDOWS\system32\WlNotify.dll
MD5: 277f3e3333f1d10ca428568197fcce70 C:\WINDOWS\system32\wsnmp32.dll
MD5: 16403217ab6fc5c30c14c6b12098ad4b C:\WINDOWS\System32\xpsp2res.dll
MD5: 736b12b725aeb2b07f0241a9f680cb10 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MD5: 33d9b7bb7ba323bafe489df033dac824 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll
MD5: 2dee3cbe9db65124c49a6366d0b042a3 E:\iTunes\Mozilla Plugins\npitunes.dll

No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.00 MB sent, 0.58 KB recvd
Scanned 508 files and modules - 23 seconds

==============================================================================

to forum · permalink · 2011-12-30 21:39:56 ·


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23
Reviews:
·Comcast

reply to DarthSaruman
Not so bad here. No reformat called for, yet!

But let's check the MBR here too.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.



 
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://ad13.geekstogo.com/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.


--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum
to forum · permalink · 2011-12-31 11:20:40 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 125):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7D2F000 \WINDOWS\system32\KDCOM.DLL
0xF7C3F000 \WINDOWS\system32\BOOTVID.dll
0xF77E0000 ACPI.sys
0xF7D31000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF77CF000 pci.sys
0xF782F000 isapnp.sys
0xF7D33000 viaide.sys
0xF7AAF000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF783F000 MountMgr.sys
0xF77B0000 ftdisk.sys
0xF7D35000 dmload.sys
0xF778A000 dmio.sys
0xF7AB7000 PartMgr.sys
0xF784F000 VolSnap.sys
0xF7772000 atapi.sys
0xF785F000 disk.sys
0xF786F000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7752000 fltmgr.sys
0xF7740000 sr.sys
0xF7729000 KSecDD.sys
0xF769C000 Ntfs.sys
0xF766F000 NDIS.sys
0xF787F000 viaagp.sys
0xF7655000 Mup.sys
0xF78AF000 \SystemRoot\System32\DRIVERS\amdk7.sys
0xF7441000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF742D000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF78BF000 \SystemRoot\System32\DRIVERS\AN983.sys
0xF73B5000 \SystemRoot\system32\drivers\ctaud2k.sys
0xF7391000 \SystemRoot\system32\drivers\portcls.sys
0xF78CF000 \SystemRoot\system32\drivers\drmk.sys
0xF736E000 \SystemRoot\system32\drivers\ks.sys
0xF7355000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF7D39000 \SystemRoot\System32\drivers\ctprxy2k.sys
0xF7CD3000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF78DF000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF78EF000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF78FF000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7AF7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7B07000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7331000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7B17000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF790F000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7CE3000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF731D000 \SystemRoot\System32\DRIVERS\parport.sys
0xF791F000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7B27000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7ED3000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF792F000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7CEF000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7306000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF793F000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF794F000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7B47000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF72F5000 \SystemRoot\System32\DRIVERS\psched.sys
0xF795F000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7B57000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7B67000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF72C5000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF796F000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7B77000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7D3F000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF71C7000 \SystemRoot\System32\DRIVERS\update.sys
0xF7D0F000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF797F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF5FF9000 \SystemRoot\system32\drivers\ha10kx2k.sys
0xF5FE4000 \SystemRoot\System32\drivers\ctac32k.sys
0xF5FCB000 \SystemRoot\System32\drivers\emupia2k.sys
0xF5FAC000 \SystemRoot\System32\drivers\ctsfm2k.sys
0xF798F000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7D47000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7BC7000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF5F85000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF7D51000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7F46000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D55000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7BDF000 \SystemRoot\System32\drivers\vga.sys
0xF7D59000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D5D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7BEF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7BFF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7CC7000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF5F2A000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF5ED1000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF5EA9000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF5E83000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF79BF000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF5E61000 \SystemRoot\System32\drivers\afd.sys
0xF79CF000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF5E36000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF5DC6000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF79DF000 \SystemRoot\System32\Drivers\Fips.SYS
0xF71AF000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF79FF000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF7C27000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF7C37000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF719F000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF7AD7000 \SystemRoot\System32\DRIVERS\point32.sys
0xF7AE7000 \SystemRoot\System32\DRIVERS\usbprint.sys
0xF7AFF000 \SystemRoot\System32\DRIVERS\HPZius12.sys
0xF7A0F000 \SystemRoot\System32\DRIVERS\HPZid412.sys
0xF7D0B000 \SystemRoot\System32\DRIVERS\HPZipr12.sys
0xF7A1F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF5D86000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D63000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF5F7D000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B4F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E7E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF40B000 \SystemRoot\System32\ATMFD.DLL
0xF4CC8000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF39F3000 \SystemRoot\system32\drivers\wdmaud.sys
0xF4D58000 \SystemRoot\system32\drivers\sysaudio.sys
0xF3790000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7DDD000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF7DE1000 \??\C:\WINDOWS\system32\PfModNT.sys
0xF35D0000 \SystemRoot\System32\DRIVERS\srv.sys
0xF3107000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7BB7000 \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{42452B51-2C96-462D-A128-45868F65CFEE}\MpKslfde7ecb7.sys
0xF1A19000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 26):
0 System Idle Process
4 System
432 C:\WINDOWS\system32\smss.exe
496 csrss.exe
520 C:\WINDOWS\system32\winlogon.exe
564 C:\WINDOWS\system32\services.exe
576 C:\WINDOWS\system32\lsass.exe
728 C:\WINDOWS\system32\svchost.exe
804 svchost.exe
896 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
932 C:\WINDOWS\system32\svchost.exe
1008 svchost.exe
1100 svchost.exe
1288 C:\WINDOWS\system32\spoolsv.exe
1512 C:\WINDOWS\explorer.exe
1668 svchost.exe
1752 C:\WINDOWS\system32\nvsvc32.exe
1764 C:\WINDOWS\system32\HPZipm12.exe
1828 C:\WINDOWS\system32\MsPMSPSv.exe
268 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
476 C:\Program Files\Microsoft Security Client\msseces.exe
1096 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
1356 C:\WINDOWS\system32\wuauclt.exe
1836 wmiprvse.exe
2444 alg.exe
3364 C:\Documents and Settings\slayerman1\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000006`1a796600 (NTFS)

PhysicalDrive0 Model Number: ST380021A, Rev: 3.19

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

to forum · permalink · 2011-12-31 11:28:18 ·


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23
Reviews:
·Comcast

reply to DarthSaruman
This computer looks fine. I want to double check the rootkit findings.

Download and run Sophos AntiRootkit. Post the log in this thread, even if nothing is found.

You find link(s) and instructions here:
»Security Cleanup FAQ »Rootkit Detection Applications
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum

to forum · permalink · 2011-12-31 12:00:31 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI


Sophos Anti-Rootkit Version 1.5.20 (c) 2009 Sophos Plc
Started logging on 12/31/2011 at 12:06:01 PM
User "slayerman1" on computer "MASTER"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP96\A0053018.exe
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP96\A0053017.exe
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP34\A0014649.exe
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP34\A0014648.exe
Hidden: file C:\WINDOWS\Help\Tours\mmTour\tour.exe
Hidden: file C:\Documents and Settings\slayerman1\My Documents\disk-defrag-setup.exe
Hidden: file C:\Program Files\HP\Digital Imaging\help\flash\6940_install_cartridge.exe
Hidden: file C:\Program Files\HP\Digital Imaging\bin\hposid01.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\netstat.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\unregmp2.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\mqtrig.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\mqtgsvc.exe
Hidden: file C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD
Hidden: file C:\WINDOWS\Downloaded Program Files\qsax.dll
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP97\A0053072.exe
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP97\A0053071.exe
Hidden: file C:\System Volume Information\_restore{0D097224-3ED0-4EC2-8DDE-41B7B780F1DB}\RP97\A0053038.exe
Hidden: file C:\Documents and Settings\slayerman1\Desktop\temp files new\LiveDrvUni-Pack(ENG).exe
Hidden: file C:\WINDOWS\$NtUninstallwmp11$\unregmp2.exe
Info: Starting disk scan of E: (NTFS).
Hidden: file E:\Malwarebytes' Anti-Malware\Chameleon\mbam-killer.exe
Stopped logging on 12/31/2011 at 12:23:37 PM

to forum · permalink · 2011-12-31 12:30:41 ·


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23

reply to DarthSaruman
This computer looks fine.

What problem(s) are you having with it?

to forum · permalink · 2011-12-31 12:38:13 ·

DarthSaruman
Before Me You Tremble

join:2002-06-28
Warren, MI

I thought if computer 2 had the same rootkit as computer 1 it my still have an issue...thanks for help on this one...

to forum · permalink · 2011-12-31 12:54:14 ·


LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:23
Reviews:
·Comcast

reply to DarthSaruman
Cleaning Up:

Delete TFC:

  • Delete the TFC icon on your Desktop

Delete OTL:
  • Double click the OTL icon on your Desktop
  • Press the 'Cleanup' button

Delete Security Check:
  • Delete the SecurityCheck icon on your Desktop

Delete Malware Bytes:
  • We recommend that you keep MalwareBytes (MBAM) and run it every week. There is no charge to keep the program however the real time protection will stop after the trial period. Be sure to update the definitions before each use. If you decide not to keep MBAM, use Add/Remove Programs to uninstall it.

Delete Sophos AntiRootkit
  • If we asked you to run Sophos AntiRootkit program, uninstall it thru Add/Remove Programs.

Other Programs:
  • If we asked you to install any other programs that are not removed by the OTL cleanup procedure, we will provide separate removal instructions.

--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum
to forum · permalink · 2011-12-31 14:17:27 ·
Forums > Broadband Tech > Security > Security Cleanup

Monday, 04-Jun 18:02:07 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics