Click.GiftLoad Removal Help!

Status
Not open for further replies.

soul4soul

New member
Hi
My computer has been infected with Click.GiftLoad for about the last 5 days. my computer is experiencing all the same symptoms as this guy

I know I'm new to the forum but please help! Recently i keep getting redirected when i search things on google, get fake virus reports, and my sound suddenly stops working. In general my computer is a lot slower and i have to remove the Click.GiftLoad on spybot everyday to get my computer to run normally (but it won't stop appearing!) In my task manager there are also multiple svchost.exe processes running.

also my system restore stopped working and twice i have gotten a svchost.exe error. Id say about a month ago i got one of those fake Microsoft security center viruses but i used system restore and it went away. so maybe this is just something that was left over. I actually was kinda stupid followed the help given in that thread. before i noticed the sticky saying not to do that. so now here i am posting to get some real help.

I know youll probably see this in the reports but so you know i have SB and MBAM. I installed them 5days ago right after i noticed i was getting google redirects. I use MSE for anti-virus protection, and I have CCleaner and i run it regularly (mostly after i add or remove a program). Oh Lastly i have a few times before gone into the windows registry and deleted stuff, i would search the registry for programs iv removed looking for left over information that wasnt deleted and id delete it manually.

I hope i havent done anything to stupid that is irreversible. I look forward to getting help and getting this off my computer.

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Lord at 12:59:52.81 on Sat 04/23/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1467 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Lord\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uLocal Page =
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\lord\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} -
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lord\applic~1\mozilla\firefox\profiles\ns2o3ouy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55273
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-3-3 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-3-3 15856]
S1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-6-29 244608]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
S1 MpKsl2367828d;MpKsl2367828d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d425190-4599-4da0-8e2e-4ee5ec030ba3}\mpksl2367828d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d425190-4599-4da0-8e2e-4ee5ec030ba3}\MpKsl2367828d.sys [?]
S1 MpKsla5c5fa87;MpKsla5c5fa87;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d169990f-bc33-4b6b-82b7-63fd0528929b}\mpksla5c5fa87.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d169990f-bc33-4b6b-82b7-63fd0528929b}\MpKsla5c5fa87.sys [?]
S1 MpKslb0fe2e80;MpKslb0fe2e80;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0e98532-b5d7-4909-99d2-d34b8a22cbb6}\mpkslb0fe2e80.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0e98532-b5d7-4909-99d2-d34b8a22cbb6}\MpKslb0fe2e80.sys [?]
S1 MpKslbf8fe406;MpKslbf8fe406;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca88cd10-8669-4943-beff-1157a933ca7c}\mpkslbf8fe406.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca88cd10-8669-4943-beff-1157a933ca7c}\MpKslbf8fe406.sys [?]
S1 MpKslcefc53da;MpKslcefc53da;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dc3ca08-2d57-46e5-8955-c1f1cb43d965}\mpkslcefc53da.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dc3ca08-2d57-46e5-8955-c1f1cb43d965}\MpKslcefc53da.sys [?]
S1 MpKsldf37030e;MpKsldf37030e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6c30763-7f6c-421b-b864-daa92d8cf64b}\mpksldf37030e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6c30763-7f6c-421b-b864-daa92d8cf64b}\MpKsldf37030e.sys [?]
S1 MpKsle49a001f;MpKsle49a001f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ef5287b-a0b5-4213-8ccc-4d7dc910ca46}\mpksle49a001f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ef5287b-a0b5-4213-8ccc-4d7dc910ca46}\MpKsle49a001f.sys [?]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-3-3 25584]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\saibsvc.exe --> c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [?]
S2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-9-27 8192]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnpservice11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUpnpService11.exe [?]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxliveshare11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [?]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxwatch11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxmediadb11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-04-23 02:25:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-23 02:11:38 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4f3fb5b8-33ba-46f8-8e0b-f95003a87ed9}\MpKsl3697d962.sys
2011-04-23 00:49:50 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4f3fb5b8-33ba-46f8-8e0b-f95003a87ed9}\mpengine.dll
2011-04-23 00:10:59 -------- d-sha-r- C:\cmdcons
2011-04-22 17:01:58 -------- d-----w- c:\program files\CP-Autos
2011-04-21 21:44:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-21 21:44:47 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-04-21 21:39:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-21 16:27:15 -------- d-----w- c:\docume~1\lord\applic~1\Malwarebytes
2011-04-21 16:27:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 16:27:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-21 16:27:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 16:27:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 16:04:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-21 16:04:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-21 03:43:28 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\Microsoft Help
2011-04-20 18:04:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-20 18:04:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 16:00:25 -------- d-----w- c:\windows\Sonic
2011-04-18 21:39:12 -------- d-----w- c:\program files\Bonjour
2011-04-15 22:01:01 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-04-15 22:00:47 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-04-15 21:59:45 -------- d-----w- c:\windows\system32\RsFx
2011-04-15 21:56:37 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-15 19:18:21 -------- d-----w- c:\docume~1\lord\applic~1\TweakNow RegCleaner 2011
2011-04-12 17:05:13 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\Adobe
2011-04-10 03:34:22 112832 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vcexpress\10.0\1033\ResourceCache.dll
2011-04-08 22:19:49 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 02:45:25 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\PCTeX
2011-04-05 02:44:54 -------- d-----w- c:\program files\PCTeX
2011-04-01 16:36:42 -------- d-----w- c:\program files\Ghostgum
2011-04-01 16:32:30 -------- d-----w- c:\program files\gs
2011-04-01 15:50:08 -------- d-----w- c:\program files\common files\Adobe-BackupByPhotoshopCS5Portable
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ------w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ------w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ------w- c:\windows\system32\mfc42u.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500AAJS-75VWA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8B94F0]<<
c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8bf7d0]; MOV EAX, [0x8a8bf84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A8C9AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A912918]
5 SahdIa32[0xF7658939] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000066[0x8A8CC098]
7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A93FD98]
\Driver\atapi[0x8A90FEB8] -> IRP_MJ_CREATE -> 0x8A8B94F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8B933B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:00:56.87 ===============
 
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Just copy and paste any logs or reports we ask for into the thread, there is no need to quote them

Your infected with a Rootkit, I am going to have you run TDSSKiller but the variant you may have may prevent it from running and if thats the case we will use another method to remove it


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
 
Hey thanks for the reply. I just want to make sure you know that I tried following the advice given in the thread I linked to. At the time I didn't realize that was the wrong thing to do.

Going to try that on my infected PC now I'll report back when I'm done.
 
I guess i cant edit my previous post. I tried running tdsskiller but it didnt work i got one of those Microsoft error reports. If it matters it got up to 80% initialized.
 
Your doing fine, your Master Boot Record is infected, I am going to have you run Combofix, Combofix will check to see if there is a Recovery Console installed and if not will prompt you to install one, do so because we need to fix the MBR through the Recovery Console

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
nothing showed about need to reinstall Microsoft recovery console.
ComboFix 11-04-25.02 - Lord 04/25/2011 21:29:25.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1399 [GMT -4:00]
Running from: c:\documents and settings\Lord\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-22 17:01 . 2011-04-22 17:01 -------- d-----w- c:\program files\CP-Autos
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-21 21:39 . 2011-04-21 21:39 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-21 21:26 . 2011-04-21 21:26 -------- d-----r- C:\MSOCache
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\documents and settings\Lord\Application Data\Malwarebytes
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-21 16:27 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 16:27 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 16:04 . 2011-04-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-21 16:04 . 2011-04-21 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-21 03:43 . 2011-04-21 03:43 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\Microsoft Help
2011-04-20 18:04 . 2011-04-20 18:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 17:39 . 2011-04-21 14:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-20 16:00 . 2011-04-20 16:00 -------- d-----w- c:\windows\Sonic
2011-04-18 21:39 . 2011-04-18 21:39 -------- d-----w- c:\program files\Bonjour
2011-04-15 22:01 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-04-15 22:00 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-04-15 21:59 . 2011-04-15 21:59 -------- d-----w- c:\windows\system32\RsFx
2011-04-15 21:56 . 2011-04-15 21:59 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-15 19:18 . 2011-04-21 15:00 -------- d-----w- c:\documents and settings\Lord\Application Data\TweakNow RegCleaner 2011
2011-04-12 17:05 . 2011-04-12 17:05 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\Adobe
2011-04-12 16:31 . 2011-04-12 17:07 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-10 03:34 . 2011-04-10 03:34 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-04-08 22:19 . 2011-04-08 22:19 -------- d-----w- c:\windows\symbols
2011-04-08 22:19 . 2011-04-08 22:19 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 02:45 . 2011-04-05 02:45 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\PCTeX
2011-04-05 02:44 . 2011-04-05 02:44 -------- d-----w- c:\program files\PCTeX
2011-04-01 16:36 . 2011-04-01 16:36 -------- d-----w- c:\program files\Ghostgum
2011-04-01 16:32 . 2011-04-01 16:32 -------- d-----w- c:\program files\gs
2011-04-01 15:50 . 2011-04-12 16:38 -------- d-----w- c:\program files\Common Files\Adobe-BackupByPhotoshopCS5Portable
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-10 18:02 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 17:51 434176 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 17:51 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-10 17:51 61952 ------w- c:\windows\system32\tdc.ocx
2011-02-17 13:51 . 2004-08-10 17:51 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:18 . 2004-08-10 17:51 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 17:51 357888 ------w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-10 17:51 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-16 19:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 17:50 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:01 229888 ------w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 17:51 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 17:51 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 17:51 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 17:51 974848 ------w- c:\windows\system32\mfc42u.dll
2011-02-02 22:11 . 2010-04-23 18:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-10 18:01 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 18:01 677888 ------w- c:\windows\system32\mstsc.exe
2011-03-18 17:53 . 2011-04-21 17:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
.
c:\documents and settings\Lord\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-10 12:28 13758464 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-05-28 21:32 16132608 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-21 14:55 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\Roxio 2010\\Venue\\Venue.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/3/2009 5:47 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/3/2009 5:47 PM 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [6/29/2009 4:07 PM 244608]
R1 MpKsle016af81;MpKsle016af81;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F808FE6-9676-4AE7-8497-F09D69E1B99A}\MpKsle016af81.sys [4/25/2011 9:20 PM 28752]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/3/2009 5:47 PM 25584]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
S1 MpKsl2367828d;MpKsl2367828d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D425190-4599-4DA0-8E2E-4EE5EC030BA3}\MpKsl2367828d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D425190-4599-4DA0-8E2E-4EE5EC030BA3}\MpKsl2367828d.sys [?]
S1 MpKsla5c5fa87;MpKsla5c5fa87;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D169990F-BC33-4B6B-82B7-63FD0528929B}\MpKsla5c5fa87.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D169990F-BC33-4B6B-82B7-63FD0528929B}\MpKsla5c5fa87.sys [?]
S1 MpKslb0fe2e80;MpKslb0fe2e80;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0E98532-B5D7-4909-99D2-D34B8A22CBB6}\MpKslb0fe2e80.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0E98532-B5D7-4909-99D2-D34B8A22CBB6}\MpKslb0fe2e80.sys [?]
S1 MpKslbf8fe406;MpKslbf8fe406;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA88CD10-8669-4943-BEFF-1157A933CA7C}\MpKslbf8fe406.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA88CD10-8669-4943-BEFF-1157A933CA7C}\MpKslbf8fe406.sys [?]
S1 MpKslcefc53da;MpKslcefc53da;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DC3CA08-2D57-46E5-8955-C1F1CB43D965}\MpKslcefc53da.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DC3CA08-2D57-46E5-8955-C1F1CB43D965}\MpKslcefc53da.sys [?]
S1 MpKsldf37030e;MpKsldf37030e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6C30763-7F6C-421B-B864-DAA92D8CF64B}\MpKsldf37030e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6C30763-7F6C-421B-B864-DAA92D8CF64B}\MpKsldf37030e.sys [?]
S1 MpKsle49a001f;MpKsle49a001f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EF5287B-A0B5-4213-8CCC-4D7DC910CA46}\MpKsle49a001f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EF5287B-A0B5-4213-8CCC-4D7DC910CA46}\MpKsle49a001f.sys [?]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe --> c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [9/27/2010 8:40 PM 8192]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [?]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [?]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 11:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE016AF81
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-04-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
FF - ProfilePath - c:\documents and settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55273
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 21:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500AAJS-75VWA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A6EE33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-25 21:43:25
ComboFix-quarantined-files.txt 2011-04-26 01:43
.
Pre-Run: 149,452,779,520 bytes free
Post-Run: 150,374,219,776 bytes free
.
- - End Of File - - 3D3E20154610CA198B8BE5D9014E051D
 
Last edited by a moderator:
Oh ya you will see in that log there is something call "nvcpl.dll" i believe it is for my graphics card. It always puts itself back in startup even after i disable it with CCleaner is there a way to stop it from doing that? In that log at the bottom i noticed something called conduit. A while back a toolbar was installed on my PC it was called Conduit Engine im still not confident all traces of it have been removed and that program seemed like trouble. So if you know anything about it perhaps you can make sure all of that program is removed too I thought it was but now that i see it on that log im worried. Last what is a good website to read about rootkits, what are they?

I hope none of this is a bother it seems relevant especially that conduit engine.

thanks for the help so far.
 
I am more concerned about the Rootkit, we can look for other stuff to remove later

Just copy and paste any logs or reports we ask for into the thread, there is no need to quote them


Combofix did not install the recovery console because it detected one on your system, be back in a bit
 
Thanks, just easier for me to analyze. We need to fix your Master Boot Record but before we run the fix I want to make sure it will work on your manufacturer installed Recovery Console.

Just hang in, I will be back as soon as I can
 
What is the brand of your computer ?

When you go to My Computer , do you see a recovery partition ? Most likely D:
 
i have a dell vostro 400 (not a mini tower)

when i open up my computer i dont see a recovery partition only my C: drive. But when i turn on the pc i have 3 options to choice from which i never use to have before. one of them says microsoft windows recovery console.
 
Great, this is where were at. Your Master Boot Record is infected with a Rootkit and we need to remove it and write a new MBR, the only problem is that with a Dell, you have a recovery partition , you can use that to bring your system back to the day you purchased it, that partition will be gone so if you want to proceed , we can but its advisable to contact Dell and order Recovery Disks for your system.


This is what we need to do
  • Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    RC_BootMenu.gif


  • When you get to the above screen, take note of the number that references your operating system.

    RConsole_A.png

  • If it's '1' like the picture above, type 1 and press Enter
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.


    RConsole_Fixmbr.png


  • Next type FIXMBR


    RConsole_FixmbrB.png

  • If it asks if you're sure you want to write a new MBR, answer 'Y'
  • Then type EXIT to reboot the machine.
 
Im not worried about losing that partition i didnt even know it existed. I have all the original discs from dell if i need them and if i were or needed to do a complete re-install id go with win7 so removing that is no problem for me. Will that partition space be completely lost? (i know its not a lot of space im just a little curious)

Alright im all done. My PC restarted normally.
 
:bigthumb:

Sometimes these rootkits bring friends along for a ride, lets check

Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.




Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
 
i already had mbam i updated the database before i ran a scan


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6456

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/27/2011 8:59:27 AM
mbam-log-2011-04-27 (08-59-27).txt

Scan type: Quick scan
Objects scanned: 163868
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Lets run this scan and let me know how things are running now ?

OTL by OldTimer
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
 
OTL.txt

MBAM always showed up as clean.

here is the first log OTL.txt

OTL logfile created on: 4/27/2011 3:56:14 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lord\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 139.77 Gb Free Space | 60.04% Space Free | Partition Type: NTFS

Computer Name: ALEX | User Name: Lord | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (RoxWatch11) -- File not found
SRV - (RoxMediaDB11) -- File not found
SRV - (RoxLiveShare11) -- File not found
SRV - (Roxio Upnp Server 11) -- File not found
SRV - (Roxio UPnP Renderer 11) -- File not found
SRV - (getPlus(R) Helper) getPlus(R) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (KMService) -- C:\WINDOWS\system32\srvany.exe ()
SRV - (RoxWatch12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe (Sonic Solutions)
SRV - (RoxMediaDB12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe (Sonic Solutions)
SRV - (CinemaNow Service) -- C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)


========== Driver Services (SafeList) ==========

DRV - (c2scsi) -- C:\WINDOWS\System32\drivers\c2scsi.sys (Sonic Solutions)
DRV - (SaibVd32) -- C:\WINDOWS\system32\drivers\SaibVd32.sys (Sonic Solutions)
DRV - (SahdIa32) -- C:\WINDOWS\System32\Drivers\SahdIa32.sys (Sonic Solutions)
DRV - (SaibIa32) -- C:\WINDOWS\System32\Drivers\SaibIa32.sys (Sonic Solutions)
DRV - (RsFx0103) -- C:\WINDOWS\system32\drivers\RsFx0103.sys (Microsoft Corporation)
DRV - (RxFilter) -- C:\WINDOWS\system32\drivers\RxFilter.sys (Sonic Solutions)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (LHidKe) -- C:\WINDOWS\system32\drivers\LHidKE.Sys (Logitech Inc.)
DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech Inc.)
DRV - (TIEHDUSB) -- C:\WINDOWS\system32\drivers\tiehdusb.sys (Texas Instruments Incorporated)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 55273
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 8888
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/05/21 10:56:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/04/01 11:52:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/21 13:58:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2010/07/09 09:54:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Extensions
[2011/03/11 10:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions
[2010/04/28 15:14:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/22 13:45:06 | 000,000,000 | ---D | M] (RedShift V3) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\redshift_V2@shift-themes.com
[2009/08/01 23:16:25 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\searchplugins\search-the-web.xml
[2011/04/21 13:58:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\{CD6C4EBF-366E-45A0-98B5-B8217288EED7}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
[2010/04/08 06:58:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/18 13:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/04/22 20:27:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Oracle)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Oracle)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: cinemanow.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: cinemanow.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: qflix.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: roxio.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: sonic.com ([redirect] http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: sonic.com ([redirect2] http in Trusted sites)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/27 15:55:01 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 09:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/04/27 08:55:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/27 08:54:59 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:25:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/25 21:25:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/25 21:25:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/25 21:25:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/25 21:25:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/25 20:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\tdsskiller
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/23 12:56:42 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/22 22:25:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/04/22 20:54:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Lord\Recent
[2011/04/22 20:10:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/22 20:06:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/22 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\CP-Autos
[2011/04/22 12:22:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/22 12:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/21 18:06:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Microsoft
[2011/04/21 17:39:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2011/04/21 17:26:20 | 000,000,000 | R--D | C] -- C:\MSOCache
[2011/04/21 13:58:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/04/21 12:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Malwarebytes
[2011/04/21 12:27:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/21 12:27:02 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/21 12:27:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/21 12:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/21 10:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/04/21 10:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/20 23:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Microsoft Help
[2011/04/20 23:35:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/04/20 15:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\(DONE) African Diaspora Mathematics Compendium, Volume 4-ALL LATEX
[2011/04/20 14:04:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Help
[2011/04/20 12:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/20 12:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/20 12:00:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sonic
[2011/04/19 16:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\world
[2011/04/18 17:39:12 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/04/15 18:01:01 | 000,050,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
[2011/04/15 18:00:47 | 000,079,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
[2011/04/15 17:59:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RsFx
[2011/04/15 17:56:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/04/15 15:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\TweakNow RegCleaner 2011
[2011/04/12 14:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Products
[2011/04/12 13:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Adobe
[2011/04/12 12:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Adobe
[2011/04/12 12:31:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/12 09:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Transmission Lines Theory, Types and Applications
[2011/04/08 18:19:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\symbols
[2011/04/08 18:19:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Help Viewer
[2011/04/06 16:20:16 | 000,107,808 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\PCTeX
[2011/04/04 22:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PCTeX
[2011/04/04 22:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\PCTeX
[2011/04/01 16:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\My Documents\My PCTeX Files
[2011/04/01 12:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\Ghostgum
[2011/04/01 12:32:30 | 000,000,000 | ---D | C] -- C:\Program Files\gs
[2011/04/01 11:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe
[2011/04/01 11:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe-BackupByPhotoshopCS5Portable
[2011/04/01 11:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/03/31 10:18:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Machine Tools Design, Reliability and Safety
[2011/03/31 10:18:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Advances in Sociology Research Volume 10
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/27 15:55:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 15:51:37 | 000,235,289 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/04/27 15:51:10 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/04/27 15:50:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/27 15:50:48 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/27 08:57:17 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/27 08:55:00 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:24:11 | 004,330,054 | R--- | M] () -- C:\Documents and Settings\Lord\Desktop\Combo-Fix.exe
[2011/04/25 20:08:04 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/23 13:01:47 | 000,003,801 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/23 12:56:43 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/23 12:31:24 | 000,340,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/22 20:27:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/22 20:11:06 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/22 20:09:42 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 18:37:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/04/21 13:58:48 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 13:50:40 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 12:27:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 13:10:49 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/20 07:14:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/18 18:53:58 | 000,000,019 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/04/18 18:32:29 | 000,630,932 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/18 18:32:29 | 000,136,800 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/18 17:44:31 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/12 12:43:14 | 000,011,495 | ---- | M] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/04/09 23:23:58 | 000,000,165 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/08 16:42:37 | 000,002,373 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Remere's Map Editor.lnk
[2011/04/06 16:20:16 | 000,107,808 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:04 | 000,000,750 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 12:03:59 | 000,014,183 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/25 21:25:52 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/25 21:25:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/25 21:25:52 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/25 21:25:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/25 21:25:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/25 21:24:05 | 004,330,054 | R--- | C] () -- C:\Documents and Settings\Lord\Desktop\Combo-Fix.exe
[2011/04/25 20:07:59 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:06 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/23 13:01:47 | 000,003,801 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/22 20:11:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/21 13:58:48 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 13:50:40 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 12:27:06 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 14:02:01 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 13:10:49 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/09 23:23:58 | 000,000,165 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/04 22:45:04 | 000,000,750 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 11:15:30 | 000,014,183 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2011/04/01 12:36:46 | 000,011,495 | ---- | C] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/02/06 11:34:25 | 009,566,435 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3908872593-1432629759-1091945336-1006-0.dat
[2011/02/06 11:34:10 | 000,347,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/09/27 20:40:55 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\srvany.exe
[2010/07/09 00:20:09 | 001,708,496 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/20 20:08:14 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/01/26 20:10:47 | 000,055,809 | ---- | C] () -- C:\WINDOWS\CP-FPCOS100.dll
[2009/12/04 15:07:54 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/23 22:09:27 | 000,000,019 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2009/06/21 11:53:14 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/06/10 08:29:34 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 08:29:34 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/06/10 08:29:34 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 08:29:34 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 08:29:34 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/06/10 08:29:34 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2009/06/10 08:29:32 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/06/10 06:03:00 | 001,580,550 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/03/07 13:41:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/01/25 01:45:09 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/01/24 13:25:42 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008/10/13 15:48:47 | 000,072,516 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/08/12 09:29:05 | 001,245,696 | ---- | C] () -- C:\WINDOWS\System32\QtNetwork4.dll
[2008/08/12 09:29:05 | 000,505,344 | ---- | C] () -- C:\WINDOWS\System32\QtXml4.dll
[2008/08/01 10:16:24 | 000,063,984 | ---- | C] () -- C:\WINDOWS\DVDRGN.EXE
[2008/07/29 15:50:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\msnmsgr.exe.ini
[2008/06/21 12:44:05 | 010,436,608 | ---- | C] () -- C:\WINDOWS\System32\QtGui4.dll
[2008/06/21 12:44:05 | 002,660,864 | ---- | C] () -- C:\WINDOWS\System32\QtCore4.dll
[2008/06/21 12:44:05 | 000,015,960 | ---- | C] () -- C:\WINDOWS\System32\mingwm10.dll
[2008/05/22 15:52:33 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/05/21 22:32:49 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/21 21:55:45 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/05/21 20:59:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/05/16 19:08:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/16 19:04:37 | 000,000,611 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/16 18:45:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/05/16 18:44:22 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:57:15 | 000,340,240 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 13:51:20 | 000,630,932 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 13:51:20 | 000,136,800 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 13:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll

========== LOP Check ==========

[2010/04/24 15:18:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CinemaNow
[2010/02/18 16:32:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoShow Shared Assets
[2008/10/26 21:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/12/18 19:16:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/02/18 16:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2010/12/06 17:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/02/18 16:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/07/22 13:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/04/22 20:54:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\BitTorrent
[2011/04/20 15:06:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\FileZilla
[2010/12/13 15:54:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\Notepad++
[2010/08/31 10:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\Remere's Map Editor
[2011/01/31 22:37:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\Tibia
[2011/04/21 11:00:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\TweakNow RegCleaner 2011
[2011/04/27 15:58:29 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:DocumentSummaryInformation
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Lord\Desktop\template.dmsd:Roxio EMC Stream
@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مايكروسوفت
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\Lord\My Documents\its my life.doc:SummaryInformation

< End of report >
 
Status
Not open for further replies.
Back
Top