Log in

View Full Version : rogueantispyware.xp and unknown trojan



Garvin
2010-04-01, 19:29
I have run spybot s&d full system scan and startup scan, then followed the suggested procedure before posting. The logfile from TrendMicro HijackThis is below.

I also have McAfee installed and it deletes the replications of the Trojan, and MalwareBytes deletes the replications of the rogueantispyware.xp, but they both reinfect after a few minutes pass in the case of the trojan, and a day or two in the case of the rogueantispyware.xp.

Thanks in advance for the help....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:51 AM, on 4/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Axway\Synchrony_V4.0\Gateway_Interchange\b2764\bin\AndaCSOS.exe
C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
C:\Axway\Synchrony_V4.0\Gateway_Interchange\jre_1.5.0_11\bin\java.exe
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4BB27075\bomgar-scc.exe
C:\CardinalCsosActivator\b1854\bin\CardinalCsosCycloneService.exe
C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
C:\CardinalCsosActivator\jre_1.5\bin\java.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Refill32\Refill32.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\CycloneActivator\cijre\bin\java.exe
C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
C:\Program Files\Refill32\TMTMCI.EXE
C:\Program Files\Refill32\Disp.exe
c:\program files\refill32\TMTListener.exe
C:\CycloneActivator\bin\dbeng6.exe
C:\Program Files\Refill32\OleComm.exe
c:\program files\refill32\R32Voice.exe
C:\WINDOWS\system32\VVSERV32.EXE
c:\program files\refill32\R32Voice.exe
c:\program files\refill32\R32Voice.exe
c:\program files\refill32\R32Voice.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ivr\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: Refill32.lnk = C:\Program Files\Refill32\Refill32.exe
O4 - Startup: Ultr@VNC Server.lnk = C:\Program Files\UltraVNC\winvnc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connect.pif = C:\CONNECT.BAT
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Start Server.lnk = C:\CycloneActivator\bin\launcher.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/SonicWall/bin/myCioAgt.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://andrx.webex.com/client/T27L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{518FEAB6-A85B-426A-9286-F5A952609BBA}: NameServer = 192.168.92.50,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{518FEAB6-A85B-426A-9286-F5A952609BBA}: NameServer = 192.168.92.50,4.2.2.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{518FEAB6-A85B-426A-9286-F5A952609BBA}: NameServer = 192.168.92.50,4.2.2.2
O23 - Service: AndaCSOS - Unknown owner - C:\Axway\Synchrony_V4.0\Gateway_Interchange\b2764\bin\AndaCSOS.exe
O23 - Service: AnmChannelFactoryServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELFACTORYSERVER.exe
O23 - Service: AnmChannelServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMCHANNELSERVER.exe
O23 - Service: AnmLoggerServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMLOGGERSERVER.exe
O23 - Service: AnmSupplierServer - Dialogic Corporation - C:\PROGRA~1\DIALOGIC\BIN\ANMSUPPLIERSERVER.exe
O23 - Service: Bomgar Jump Client [1269985398-1269986706] (bomgar-ps-1269985398-1269986706) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4BB27075\bomgar-scc.exe
O23 - Service: CardinalCsosCycloneService - Unknown owner - C:\CardinalCsosActivator\b1854\bin\CardinalCsosCycloneService.exe
O23 - Service: CT Bus Broker (CTBusBroker) - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\ctbbserv.exe
O23 - Service: Dialogic - Dialogic Corporation - C:\PROGRA~1\Dialogic\bin\dlgc_srv.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SonicWALL Agent Service (SWAGENT) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe

--
End of file - 10252 bytes

IndiGenus
2010-04-05, 00:31
Hello Garvin and welcome to the forums.

:welcome:

Sorry for the delay in getting to your post.

Run OTL

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
CREATERESTOREPOINT


Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


Run GMER:

Download This file (http://www.gmer.net/download.php). Note its name and save it to your root folder, such as C:\.


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

Garvin
2010-04-06, 19:07
OTL returned only one file when it scanned. It is below:

OTL logfile created on: 4/6/2010 8:54:31 AM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\ivr\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 35.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 48.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 49.23 Gb Free Space | 66.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 47.30 Gb Total Space | 29.97 Gb Free Space | 63.37% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive Q: | 74.47 Gb Total Space | 66.83 Gb Free Space | 89.74% Space Free | Partition Type: NTFS

Computer Name: IVRCOMPUTER
Current User Name: ivr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/06 08:32:07 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivr\Desktop\OTL.exe
PRC - [2010/03/30 12:16:21 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2010/01/25 17:27:34 | 000,202,048 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
PRC - [2010/01/25 17:25:40 | 000,472,384 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
PRC - [2010/01/25 17:23:24 | 000,282,824 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
PRC - [2009/12/15 14:22:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
PRC - [2009/12/15 14:21:04 | 000,014,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/10/22 13:24:50 | 000,601,976 | ---- | M] (Bomgar Corporation) -- C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4BB27075\bomgar-scc.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/08 16:56:06 | 000,106,496 | ---- | M] () -- C:\Axway\Synchrony_V4.0\Gateway_Interchange\b2764\bin\AndaCSOS.exe
PRC - [2007/02/22 15:27:07 | 000,065,536 | ---- | M] (tmt) -- C:\Program Files\Refill32\OleComm.exe
PRC - [2006/12/15 02:30:58 | 000,049,248 | ---- | M] (Sun Microsystems, Inc.) -- C:\Axway\Synchrony_V4.0\Gateway_Interchange\jre_1.5.0_11\bin\java.exe
PRC - [2006/05/15 12:53:14 | 000,049,248 | ---- | M] (Sun Microsystems, Inc.) -- C:\CardinalCsosActivator\jre_1.5\bin\java.exe
PRC - [2006/04/28 06:08:21 | 000,106,496 | ---- | M] () -- C:\CardinalCsosActivator\b1854\bin\CardinalCsosCycloneService.exe
PRC - [2005/12/21 11:04:14 | 000,040,960 | ---- | M] (tmt) -- C:\Program Files\Refill32\TMTMCI.EXE
PRC - [2005/12/21 11:02:14 | 000,057,344 | ---- | M] (Logicom, Inc.) -- C:\Program Files\Refill32\Disp.exe
PRC - [2005/03/29 22:33:24 | 000,851,968 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2005/01/07 17:30:56 | 000,864,256 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter2\brctrcen.exe
PRC - [2004/04/14 14:46:50 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2003/01/31 16:49:34 | 000,098,304 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2002/05/28 05:37:16 | 000,069,632 | ---- | M] (adi) -- C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
PRC - [2002/04/01 16:59:58 | 000,270,336 | ---- | M] (Dialogic Corporation) -- C:\Program Files\Dialogic\BIN\ctbbserv.exe
PRC - [2001/06/07 16:45:26 | 000,053,248 | ---- | M] (Dialogic Corporation) -- C:\Program Files\Dialogic\BIN\dlgc_srv.exe
PRC - [2001/04/03 11:54:16 | 000,086,528 | ---- | M] (Dialogic Corporation) -- C:\Program Files\Dialogic\BIN\AnmLoggerServer.exe
PRC - [2001/04/03 11:54:16 | 000,074,240 | ---- | M] (Dialogic Corporation) -- C:\Program Files\Dialogic\BIN\AnmSupplierServer.exe
PRC - [2001/04/03 11:54:14 | 000,115,712 | ---- | M] (Dialogic Corporation) -- C:\Program Files\Dialogic\BIN\AnmChannelServer.exe
PRC - [2001/04/03 11:54:12 | 000,081,408 | ---- | M] (Dialogic Corporation) -- C:\Program Files\Dialogic\BIN\AnmChannelFactoryServer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 08:32:07 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivr\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/25 17:27:34 | 000,202,048 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe -- (SWAGENT)
SRV - [2010/01/25 17:23:24 | 000,282,824 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe -- (myAgtSvc)
SRV - [2009/12/15 14:22:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe -- (McShield)
SRV - [2009/12/15 14:21:04 | 000,014,144 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe -- (EngineServer)
SRV - [2008/10/22 13:24:50 | 000,601,976 | ---- | M] (Bomgar Corporation) [1269985398-1269986706] [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4BB27075\bomgar-scc.exe -- (bomgar-ps-1269985398-1269986706)
SRV - [2007/11/08 16:56:06 | 000,106,496 | ---- | M] () [Auto | Running] -- C:\Axway\Synchrony_V4.0\Gateway_Interchange\b2764\bin\AndaCSOS.exe -- (AndaCSOS)
SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2006/04/28 06:08:21 | 000,106,496 | ---- | M] () [Auto | Running] -- C:\CardinalCsosActivator\b1854\bin\CardinalCsosCycloneService.exe -- (CardinalCsosCycloneService)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - [2002/04/01 16:59:58 | 000,270,336 | ---- | M] (Dialogic Corporation) [On_Demand | Running] -- C:\Program Files\Dialogic\BIN\ctbbserv.exe -- (CTBusBroker)
SRV - [2001/06/07 16:45:26 | 000,053,248 | ---- | M] (Dialogic Corporation) [Auto | Running] -- C:\Program Files\Dialogic\BIN\dlgc_srv.exe -- (Dialogic)
SRV - [2001/04/03 11:54:16 | 000,086,528 | ---- | M] (Dialogic Corporation) [On_Demand | Running] -- C:\Program Files\Dialogic\BIN\AnmLoggerServer.exe -- (AnmLoggerServer)
SRV - [2001/04/03 11:54:16 | 000,074,240 | ---- | M] (Dialogic Corporation) [On_Demand | Running] -- C:\Program Files\Dialogic\BIN\AnmSupplierServer.exe -- (AnmSupplierServer)
SRV - [2001/04/03 11:54:14 | 000,115,712 | ---- | M] (Dialogic Corporation) [On_Demand | Running] -- C:\Program Files\Dialogic\BIN\AnmChannelServer.exe -- (AnmChannelServer)
SRV - [2001/04/03 11:54:12 | 000,081,408 | ---- | M] (Dialogic Corporation) [On_Demand | Running] -- C:\Program Files\Dialogic\BIN\AnmChannelFactoryServer.exe -- (AnmChannelFactoryServer)


========== Driver Services (SafeList) ==========

DRV - [2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/12/15 14:29:52 | 000,055,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/12/15 14:29:42 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (MfeRKDK)
DRV - [2009/12/15 14:29:34 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/12/15 14:29:30 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (MfeBOPK)
DRV - [2009/12/15 14:29:26 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (MfeAVFK)
DRV - [2007/10/09 13:31:17 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2005/11/30 12:56:56 | 000,114,400 | ---- | M] (McAfee Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\naiavf5x.sys -- (NaiAvFilter1)
DRV - [2003/02/17 12:22:24 | 000,170,880 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/01/19 00:00:00 | 000,095,449 | ---- | M] (MK Systems CO., LTD.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS -- (Esdpdx01)
DRV - [2002/05/20 16:03:58 | 000,288,960 | ---- | M] (Dialogic Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dlgcsram.sys -- (DlgcSram)
DRV - [2001/03/27 16:16:58 | 000,008,736 | ---- | M] (Dialogic Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dlgcdcm.sys -- (DlgcDcm)
DRV - [2000/06/29 19:38:50 | 000,022,912 | ---- | M] (Dialogic Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gloaddrv.sys -- (Gloaddrv)
DRV - [2000/02/25 09:29:52 | 000,009,952 | ---- | M] (Dialogic Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dlgcupgrade.sys -- (dlgcupgrade)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{8E2B946F-921A-4FCC-B733-4E051D52B119}: C:\Documents and Settings\ivr\Local Settings\Application Data\{8E2B946F-921A-4FCC-B733-4E051D52B119} [2010/03/17 10:08:22 | 000,000,000 | ---D | M]

[2010/03/24 14:41:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2003/03/31 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe File not found
O4 - HKLM..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKCU..\Run: [MsnMsgr] C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Connect.pif ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start Server.lnk = C:\CycloneActivator\bin\launcher.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\ivr\Start Menu\Programs\Startup\Refill32.lnk = C:\Program Files\Refill32\Refill32.exe (tmt)
O4 - Startup: C:\Documents and Settings\ivr\Start Menu\Programs\Startup\Ultr@VNC Server.lnk = C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ( http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ( https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: cardinal.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: cardinalhealth.com ([]https in Trusted sites)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com (MetaStreamCtl Class)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} http://virusscanasap.mcafeeasap.com/VS2/SonicWall/bin/myCioAgt.cab (SecureObjectFactory Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://andrx.webex.com/client/T27L/support/ieatgpc.cab (GpcContainer Class)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\myrm {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt5.0.0.705.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/10/12 09:34:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/24 02:37:28 | 000,000,075 | ---- | M] () - H:\auto_mailboxsuccess.log -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* ()
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/04/06 08:24:44 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/06 08:31:53 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ivr\Desktop\OTL.exe
[2010/04/06 06:23:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/06 06:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/06 06:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\avG
[2010/04/01 09:58:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Desktop\Downloads
[2010/04/01 09:56:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Desktop\Various Forms and Documents
[2010/04/01 09:15:12 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\ivr\Desktop\HijackThis.exe
[2010/04/01 09:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Desktop\4-1-2010 Registry Backup
[2010/04/01 09:12:42 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/03/31 15:55:46 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/03/31 15:55:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/03/31 15:53:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Application Data\U3
[2010/03/30 14:43:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4BB27075
[2010/03/30 12:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2010/03/30 11:18:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Local Settings\Application Data\Threat Expert
[2010/03/30 10:35:43 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/03/30 10:30:28 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/03/30 10:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/30 10:23:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Application Data\Uniblue
[2010/03/30 09:56:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/03/25 07:18:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Application Data\McAfee
[2010/03/24 21:13:58 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/24 13:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Application Data\Malwarebytes
[2010/03/24 13:55:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/24 13:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/24 13:55:34 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/24 13:55:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/24 13:06:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/24 13:06:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/24 13:06:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/22 14:27:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/22 14:27:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/17 11:00:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/17 10:08:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Local Settings\Application Data\{8E2B946F-921A-4FCC-B733-4E051D52B119}
[2010/03/17 10:04:55 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/03/17 10:04:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ivr\Application Data\3C178299838AD7414DB50286AAA724DE
[2010/03/10 13:03:02 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/08 17:49:19 | 000,000,000 | ---D | C] -- C:\PWUPD
[2010/03/08 17:49:19 | 000,000,000 | ---D | C] -- C:\PWLOCAL
[2008/08/28 12:41:53 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/12/27 16:29:25 | 000,630,784 | ---- | C] (Citrix Online) -- C:\Documents and Settings\ivr\GoToAssist_chat2way__317_en.exe
[2006/03/09 11:56:12 | 000,630,784 | ---- | C] (Citrix Online) -- C:\Documents and Settings\ivr\chatlnk.exe
[2005/04/04 08:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\ivr\*.tmp files -> C:\Documents and Settings\ivr\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/06 08:32:07 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivr\Desktop\OTL.exe
[2010/04/06 08:20:51 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/06 08:20:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 08:20:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/06 08:19:22 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\ivr\NTUSER.DAT
[2010/04/06 08:19:22 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\ivr\ntuser.ini
[2010/04/06 07:23:32 | 000,011,638 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
[2010/04/05 12:48:30 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/05 10:47:45 | 000,012,090 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/01 09:15:14 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\ivr\Desktop\HijackThis.exe
[2010/04/01 09:12:43 | 000,000,631 | ---- | M] () -- C:\Documents and Settings\ivr\Desktop\ERUNT.lnk
[2010/03/31 16:49:07 | 000,000,094 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/03/31 15:55:56 | 000,000,972 | ---- | M] () -- C:\Documents and Settings\ivr\Desktop\Spybot - Search & Destroy.lnk
[2010/03/31 14:32:27 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Lyuluqejakoku.dat
[2010/03/31 12:12:57 | 000,013,628 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\7VJ5
[2010/03/31 09:14:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xzenafi.bin
[2010/03/30 19:00:39 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/03/30 08:01:44 | 000,010,638 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\N8t8HBsW
[2010/03/29 10:08:32 | 000,010,860 | -HS- | M] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\N8t8HBsW
[2010/03/29 10:08:32 | 000,010,860 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\305717023
[2010/03/29 10:08:17 | 000,010,642 | -HS- | M] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\3803096931
[2010/03/29 10:07:51 | 000,010,658 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3803096931
[2010/03/29 10:07:51 | 000,010,658 | -HS- | M] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\305717023
[2010/03/25 17:19:31 | 000,000,948 | ---- | M] () -- C:\Documents and Settings\ivr\My Documents\My Sharing Folders.lnk
[2010/03/25 16:37:08 | 000,015,040 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2Q757bFxJ7S
[2010/03/24 14:07:37 | 000,014,506 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8VoB3
[2010/03/24 13:55:43 | 000,000,735 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/20 09:11:47 | 000,555,168 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/20 09:11:47 | 000,465,402 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/20 09:11:47 | 000,079,162 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/16 13:01:52 | 000,000,358 | ---- | M] () -- C:\CONNECT.BAT
[2010/03/16 10:02:56 | 000,004,548 | -H-- | M] () -- C:\Documents and Settings\ivr\My Documents\Default.rdp
[2010/03/08 17:49:15 | 000,002,608 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/03/08 17:49:15 | 000,001,791 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\ivr\*.tmp files -> C:\Documents and Settings\ivr\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/06 06:22:47 | 000,011,638 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\K6sEH5Ir2Is
[2010/04/06 06:22:47 | 000,011,638 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
[2010/04/02 10:44:18 | 000,201,216 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\MSASCui.exe
[2010/04/02 10:44:07 | 000,012,090 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 10:44:07 | 000,012,090 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 10:44:05 | 000,196,608 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe
[2010/04/01 09:12:43 | 000,000,631 | ---- | C] () -- C:\Documents and Settings\ivr\Desktop\ERUNT.lnk
[2010/03/31 16:49:07 | 000,000,094 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/03/31 15:55:56 | 000,000,972 | ---- | C] () -- C:\Documents and Settings\ivr\Desktop\Spybot - Search & Destroy.lnk
[2010/03/31 12:10:53 | 000,013,628 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\7VJ5
[2010/03/31 11:03:40 | 000,013,628 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\7VJ5
[2010/03/31 11:03:40 | 000,012,582 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\7VJ5
[2010/03/30 12:16:11 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/30 10:35:44 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/03/29 10:08:16 | 000,010,642 | -HS- | C] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\3803096931
[2010/03/29 10:07:06 | 000,010,658 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3803096931
[2010/03/29 10:07:06 | 000,010,658 | -HS- | C] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\305717023
[2010/03/29 10:06:32 | 000,010,860 | -HS- | C] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\N8t8HBsW
[2010/03/29 10:06:32 | 000,010,860 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\305717023
[2010/03/29 09:41:57 | 000,010,638 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\N8t8HBsW
[2010/03/29 09:41:57 | 000,010,638 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\N8t8HBsW
[2010/03/25 17:19:31 | 000,000,948 | ---- | C] () -- C:\Documents and Settings\ivr\My Documents\My Sharing Folders.lnk
[2010/03/25 15:34:56 | 000,015,040 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\2Q757bFxJ7S
[2010/03/25 15:34:56 | 000,015,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2Q757bFxJ7S
[2010/03/24 13:55:43 | 000,000,735 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/24 13:06:37 | 000,014,506 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8VoB3
[2010/03/24 13:06:37 | 000,014,506 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8VoB3
[2010/03/17 10:08:24 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Lyuluqejakoku.dat
[2010/03/17 10:08:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Xzenafi.bin
[2010/03/08 17:49:15 | 000,007,358 | ---- | C] () -- C:\PW.ICO
[2010/03/08 17:49:15 | 000,001,277 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PACWIN.lnk
[2010/03/08 17:49:15 | 000,000,967 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Connect.pif
[2010/03/08 17:49:15 | 000,000,358 | ---- | C] () -- C:\CONNECT.BAT
[2009/10/13 11:27:16 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2009/10/13 11:27:13 | 000,000,055 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2009/04/14 15:02:17 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.INI
[2008/10/14 10:03:17 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/14 10:03:12 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\vcmimm4.dll
[2008/09/05 11:30:07 | 000,000,885 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2008/09/05 11:30:07 | 000,000,426 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2008/09/05 11:30:07 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2008/09/05 11:30:07 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008/09/05 11:29:23 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2008/09/05 11:29:18 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2008/09/05 11:27:21 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/08/28 11:57:17 | 000,103,720 | ---- | C] () -- C:\Documents and Settings\ivr\GoToAssistDownloadHelper.exe
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/04/17 14:37:05 | 000,056,912 | ---- | C] () -- C:\Documents and Settings\ivr\g2mdlhlpx.exe
[2006/10/13 12:30:10 | 000,668,976 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/03/31 16:52:17 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\ivr\atwbxdet.dll
[2006/03/31 16:52:17 | 000,017,887 | ---- | C] () -- C:\Documents and Settings\ivr\gpc2k.php
[2006/03/31 16:52:17 | 000,002,898 | ---- | C] () -- C:\Documents and Settings\ivr\webex.ini
[2005/12/22 15:21:59 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/23 12:01:36 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\ivr\Local Settings\Application Data\fusioncache.dat
[2005/11/23 11:37:41 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2005/04/06 08:06:24 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/04/06 08:06:24 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2004/10/14 09:25:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\libgcipm.dll
[2004/10/14 09:25:21 | 000,024,667 | ---- | C] () -- C:\WINDOWS\System32\DlgcS7Srvps.dll
[2004/10/14 09:21:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ncm.INI
[2004/10/14 09:21:42 | 000,001,099 | ---- | C] () -- C:\WINDOWS\Dlgc_Uninstall_Log.ini
[2004/10/14 09:21:24 | 000,002,681 | ---- | C] () -- C:\WINDOWS\System32\d41mt.ini
[2004/10/14 09:21:20 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\icuuc.dll
[2004/10/14 09:21:19 | 004,321,280 | ---- | C] () -- C:\WINDOWS\System32\icudata.dll
[2004/10/14 09:21:19 | 000,072,704 | ---- | C] () -- C:\WINDOWS\System32\AnmCommon.dll
[2004/10/14 09:21:19 | 000,048,128 | ---- | C] () -- C:\WINDOWS\System32\AnmConsumerCproxy.dll
[2004/10/14 09:21:19 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\AnmSupplierCproxy.dll
[2004/10/14 09:21:19 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\AnmCproxy.dll
[2004/10/14 09:21:19 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\AnmErrorMsgs.dll
[2004/10/14 09:21:18 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2004/10/14 09:21:17 | 000,180,323 | ---- | C] () -- C:\WINDOWS\System32\librtfmt.dll
[2004/10/14 09:21:17 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\SCEventMsg.dll
[2004/10/14 09:21:16 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\AL21MFC.DLL
[2004/10/14 09:21:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\DCMObjps.dll
[2004/10/14 09:18:54 | 000,001,918 | ---- | C] () -- C:\WINDOWS\winzip32.ini
[2004/10/12 09:48:35 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/10/12 09:45:46 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\ivr\ntuser.ini
[2004/10/12 09:45:45 | 004,194,304 | -H-- | C] () -- C:\Documents and Settings\ivr\NTUSER.DAT
[2004/10/12 09:45:45 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\ivr\ntuser.dat.LOG
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1997/05/06 11:57:12 | 000,002,171 | ---- | C] () -- C:\WINDOWS\VVOICE32.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/02/15 13:16:00 | 033,618,432 | ---- | M] () -- C:\act4245win.exe


< MD5 for: AGP440.SYS >
[2005/04/04 08:12:58 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/28 09:13:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2005/04/04 08:12:58 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/08/28 09:13:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 05:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/04/04 08:12:58 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/28 09:13:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2005/04/04 08:12:58 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/08/28 09:13:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2010/03/30 19:00:39 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/03/30 19:00:39 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2001/04/09 08:14:42 | 000,032,768 | R--- | M] () MD5=2A14F4EC45145E6BCC52504D45705A1B -- C:\IVR Load\dialogic 5.1.1\dse_sdk\DSE-DSLT\Service\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

IndiGenus
2010-04-06, 19:25
OTL returned only one file when it scanned. It is below:

This was a second run of OTL.


OTL logfile created on: 4/6/2010 8:54:31 AM - Run 2

It will not normally produce an extras log after the first run. The extras log would have been saved to where ever you run OTL from, which looks like the desktop. Is there an extras.txt log on the desktop somewhere?

Garvin
2010-04-06, 20:11
No, I ran it the second time because the extras.txt.log did not appear the first time. I even ran a search of the entire computer to find it and it is not there.

Is there a way to recreate the extras.txt.log?

Do you want me to post the results from the first scan?

Below are the results from the GMER scan. I have a corporately maintained McAfee antivirus that I did my best to disable, but I don't think I killed the right process.

Thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-06 10:03:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ivr\LOCALS~1\Temp\ugdcyaog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA671578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA6715738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA671574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA67157CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA6715710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA6715724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA671579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA6715776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA6715762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA67157F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA67157E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA67157B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A047CA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

IndiGenus
2010-04-06, 20:24
We can get the extras log later if needed. I can see the main issue now.


I have a corporately maintained McAfee antivirus
Is this a business machine?

Garvin
2010-04-06, 20:28
Yes, it is a business machine, but I am the owner. I have a IT service that I hire to maintain my Sonicwall and McAfee and do basic networking for me, but this is out of their domain, so I am working on it personally. As you can imagine, I don't want to have to reformat the whole hard drive as there is some difficult to replace the programming and files on it. Thanks.

IndiGenus
2010-04-06, 21:40
Yes, it is a business machine, but I am the owner. I have a IT service that I hire to maintain my Sonicwall and McAfee and do basic networking for me, but this is out of their domain, so I am working on it personally.
I am checking in with the admin here to see if helping you is okay or not. Technically by the terms discussed here (http://forums.spybot.info/showpost.php?p=25712&postcount=5), it is not.


As you can imagine, I don't want to have to reformat the whole hard drive as there is some difficult to replace the programming and files on it. Thanks.
I would hope you have good backups?

+++++++++++++

You should also understand that it appears you have a rootkit running here. Now I have not seen any signs of a backdoor trojan here, but rootkit technology is designed to hide such an activity, so there are no guarantees. Considering this machine is used for business there could be critical data. With that said I'll give my standard warning for this....

Identity Theft

You may be infected with a rootkit and/or backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we cannot guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here (http://antivirus.about.com/library/weekly/aa100400a.htm).

I suggest you do the following immediately:

Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities. I must remind you that i cannot guarantee that your computer will be completely clean afterwards since we have no way of knowing what has been done to it.

To help you make your decision, here are a few related articles that i suggest you read:


Danger: Remote Access Trojans. (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud? (http://www.dslreports.com/faq/10451)

IndiGenus
2010-04-06, 21:55
Unfortunately we can not help you with this computer here. It was also noted that you did not mention if you had a Spybot S&D license, which is required for business users. If you do have a business license for it then you can get paid support here (http://www.safer-networking.ie/en/livesupport/index.html).

Sorry we couldn't be more help.
Dave

Garvin
2010-04-06, 23:10
Sorry, I didn't know that I couldn't have you help me with a computer at my business.

Garvin