Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit help needed

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Rootkit help needed

Unread postby askey127 » January 31st, 2011, 3:27 pm

tangerine,
With no rootkit showing, we should be able to remove anything the offending files.
---------------------------------------------
Run CKScanner
Download CKScanner from HERE
Important - Save it to your desktop.
Right-Click CKScanner.exe, choose Run as administrator and click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.
----------------------------------------------
Perform a Custom Scan or Fix with OTL
Run OTL (Right click and "Run as administrator")
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - Reg Error: Key error. File not found
    FF - prefs.js..extensions.enabledItems: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}:3.2.3.3
    FF - prefs.js..extensions.enabledItems: toolbar@alot.com:2.4.4000
    [2010/11/16 18:14:55 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
    [2010/11/16 18:14:56 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\engine@conduit.com
    [2010/08/04 17:19:17 | 000,000,000 | ---D | M] (ALOT Toolbar) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\toolbar@alot.com
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resourc ... oscan8.cab (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    
    :Reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "uTorrent" =-
    
    :Commands
    [EMPTYTEMP]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

So we are looking for the CKScanner log, and the log from OTL.
Doing well so far.

After this is set of tasks is complete, we will run scans with a couple more tools, and remove junk as we go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: Rootkit help needed

Unread postby tangerine » January 31st, 2011, 10:42 pm

Can I ask a question please? when I ran trend micro and anti sophos the other day it both said gave the file HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted
as the offending file, is that where the rootkit is?
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby tangerine » January 31st, 2011, 10:55 pm

the checkfile scanner log only produced this

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby tangerine » January 31st, 2011, 11:00 pm

The quick scan on OTL finished and didnt produce a log

Howvere there was this log

OTL logfile created on: 01/02/2011 02:54:15 - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Chris\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 204.77 Gb Free Space | 68.69% Space Free | Partition Type: NTFS

Computer Name: CHRIS-PC | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/31 13:23:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
PRC - [2011/01/07 01:22:54 | 002,747,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/01/07 01:22:44 | 001,084,256 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/01/06 15:23:20 | 000,737,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/01/06 15:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/12/05 16:26:40 | 000,654,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/12/05 16:26:12 | 000,650,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/11/22 04:48:46 | 003,226,632 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgfws.exe
PRC - [2010/11/20 00:39:27 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2010/11/18 10:20:25 | 000,142,336 | ---- | M] () -- C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
PRC - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/10/22 04:56:58 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/10/22 04:56:48 | 000,745,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgam.exe
PRC - [2010/10/21 08:07:46 | 000,304,304 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2010/10/03 05:37:45 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/04/30 10:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/17 06:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 05:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe


========== Modules (SafeList) ==========

MOD - [2011/01/31 13:23:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
MOD - [2010/08/31 15:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/01/06 15:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/11/22 04:48:46 | 003,226,632 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgfws.exe -- (avgfws)
SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/25 01:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/04/30 10:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)
SRV - [2008/01/21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 05:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)


========== Driver Services (SafeList) ==========

DRV - [2010/12/08 04:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 13:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/10/13 18:04:18 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2010/10/13 18:04:18 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ggflt.sys -- (ggflt)
DRV - [2010/09/22 19:19:02 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\taphss.sys -- (taphss)
DRV - [2010/09/13 15:27:40 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 20:42:38 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 20:42:38 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/19 20:42:36 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/07/12 04:34:02 | 000,054,112 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
DRV - [2009/12/12 07:48:04 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/04/11 04:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/03/25 15:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018mdm.sys -- (s1018mdm)
DRV - [2009/03/25 15:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018unic.sys -- (s1018unic) Sony Ericsson Device 1018 USB Ethernet Emulation (WDM)
DRV - [2009/03/25 15:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018mgmt.sys -- (s1018mgmt) Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM)
DRV - [2009/03/25 15:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018obex.sys -- (s1018obex)
DRV - [2009/03/25 15:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018bus.sys -- (s1018bus) Sony Ericsson Device 1018 driver (WDM)
DRV - [2009/03/25 15:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018nd5.sys -- (s1018nd5) Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS)
DRV - [2009/03/25 15:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV - [2008/10/21 08:22:48 | 000,114,600 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017mdm.sys -- (s0017mdm)
DRV - [2008/10/21 08:22:48 | 000,109,736 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017unic.sys -- (s0017unic) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM)
DRV - [2008/10/21 08:22:48 | 000,108,328 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017mgmt.sys -- (s0017mgmt) Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM)
DRV - [2008/10/21 08:22:48 | 000,104,616 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017obex.sys -- (s0017obex)
DRV - [2008/10/21 08:22:48 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017bus.sys -- (s0017bus) Sony Ericsson Device 0017 driver (WDM)
DRV - [2008/10/21 08:22:48 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017nd5.sys -- (s0017nd5) Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS)
DRV - [2008/10/21 08:22:48 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s0017mdfl.sys -- (s0017mdfl)
DRV - [2008/10/09 14:42:42 | 000,017,408 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\KMWDFILTER.sys -- (KMWDFILTER)
DRV - [2008/04/18 17:16:26 | 002,354,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/01/24 10:06:40 | 002,054,872 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/21 02:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 02:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 02:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 02:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 02:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 02:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 02:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 02:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2008/01/21 02:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 02:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 02:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/21 02:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 02:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 02:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 02:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 02:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 02:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 02:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 02:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 02:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 02:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 02:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/09 11:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\seehcri.sys -- (seehcri)
DRV - [2006/11/02 09:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 09:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 09:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 09:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 09:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 09:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 09:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 09:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 09:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 09:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 09:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 08:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 08:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 08:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 08:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 08:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 08:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 07:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2A 41 24 B2 14 62 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..extensions.enabledItems: ""
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.3.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..extensions.enabledItems: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..keyword.URL: "http://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/11/20 00:39:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/12/17 09:42:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/19 19:11:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/19 19:11:55 | 000,000,000 | ---D | M]

[2010/04/26 12:01:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\mozilla\Extensions
[2011/02/01 02:49:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions
[2010/11/22 18:46:58 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/12 20:18:27 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/10/03 05:53:21 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/08/29 17:39:57 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\Chris\AppData\Roaming\mozilla\Firefox\Profiles\prvkl47q.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2010/12/27 17:44:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/10 22:56:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/12/17 09:42:49 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX
[2010/11/20 00:39:57 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
File not found (No name found) -- C:\USERS\CHRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PRVKL47Q.DEFAULT\EXTENSIONS\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
File not found (No name found) -- C:\USERS\CHRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PRVKL47Q.DEFAULT\EXTENSIONS\ENGINE@CONDUIT.COM
File not found (No name found) -- C:\USERS\CHRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\PRVKL47Q.DEFAULT\EXTENSIONS\TOOLBAR@ALOT.COM
[2010/12/10 22:55:45 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/11/24 00:25:23 | 000,000,352 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [msnmsgr] File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/01 02:49:08 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/01/31 21:55:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SBR Poker
[2011/01/31 21:55:23 | 000,000,000 | ---D | C] -- C:\Program Files\SBR Poker
[2011/01/31 21:54:51 | 004,349,953 | ---- | C] (SBR ) -- C:\Users\Chris\Desktop\sbr_setup.exe
[2011/01/31 13:23:14 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
[2011/01/30 16:45:48 | 001,350,232 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Chris\Desktop\cj.exe
[2011/01/30 16:44:48 | 001,350,232 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Chris\Desktop\tdsskiller.exe
[2011/01/30 16:38:25 | 000,000,000 | ---D | C] -- C:\Users\Chris\Desktop\backups
[2011/01/29 14:32:48 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Chris\Desktop\HijackThis.exe
[2011/01/28 20:31:36 | 000,000,000 | ---D | C] -- C:\Users\Chris\Desktop\RootkitBuster_3.60.1016
[2011/01/27 08:14:03 | 000,000,000 | ---D | C] -- C:\Users\Chris\Desktop\gmer
[2011/01/26 22:45:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/01/25 17:02:13 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{5252F68E-6303-45FA-A6C6-5B1C01885A22}
[2011/01/25 03:37:42 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{E2634623-18D9-4A49-B5EF-7B14B99E6582}
[2011/01/24 09:25:17 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{B77FD3AF-E54F-4B22-8801-2B424F5D3425}
[2011/01/23 20:58:20 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{664305D6-9604-4856-B60D-2AA7F76700B5}
[2011/01/23 08:58:05 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{D215EB88-482C-4482-8F0B-0C684E21263A}
[2011/01/22 10:10:39 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{7CBA5385-EDD6-454B-AA93-DD9FD450F0E4}
[2011/01/21 07:32:50 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{F8600CFA-5256-41E0-B8B9-573D8A7A1946}
[2011/01/20 18:32:21 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Apps
[2011/01/20 18:30:57 | 000,000,000 | ---D | C] -- C:\Program Files\EASEUS
[2011/01/20 15:33:30 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{C9EA280F-D05E-403C-B997-B57E66DA8405}
[2011/01/20 03:33:06 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{5D70CD89-7CE2-4196-B22C-5AB3902E95DF}
[2011/01/19 15:32:54 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{9F910F2A-5E86-48E7-8731-69915F6E3880}
[2011/01/19 03:32:43 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{5FC3005B-5A86-46D7-B5E0-0AE2A1C9DFAD}
[2011/01/18 15:32:32 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{8E23C7E4-33CB-4E85-9A19-297A8797A156}
[2011/01/18 03:32:21 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{5562B105-9A84-4B18-AFC1-E7BF15015611}
[2011/01/17 10:45:35 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{4E35672E-6163-4B6F-8E9A-D1E23D6A62D0}
[2011/01/16 22:45:24 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{942218A8-1C55-4548-B775-01BFD76C871E}
[2011/01/16 10:45:01 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\{E242E99D-26B8-484F-973C-24625D766FA1}
[2011/01/13 17:06:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Scanner
[2011/01/12 20:19:01 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Local\Yahoo
[2011/01/12 20:18:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
[2011/01/12 20:17:03 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/10/14 18:57:05 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpe6CCE.dll

========== Files - Modified Within 30 Days ==========

[2011/02/01 02:51:35 | 000,000,898 | ---- | M] () -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
[2011/02/01 02:51:06 | 000,004,112 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/01 02:51:06 | 000,004,112 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/01 02:51:05 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/01 02:51:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/01 02:50:57 | 3209,875,456 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/01 02:47:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/01 02:46:16 | 000,453,632 | ---- | M] () -- C:\Users\Chris\Desktop\CKScanner.exe
[2011/02/01 02:40:37 | 105,089,479 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/02/01 02:39:33 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9041E61C-EAA8-4812-9D7F-06B5A91EF327}.job
[2011/01/31 21:55:40 | 000,001,638 | ---- | M] () -- C:\Users\Chris\Desktop\SBR Poker.lnk
[2011/01/31 21:55:15 | 004,349,953 | ---- | M] (SBR ) -- C:\Users\Chris\Desktop\sbr_setup.exe
[2011/01/31 21:55:05 | 001,674,937 | ---- | M] () -- C:\Users\Chris\Desktop\IMG_0421.JPG
[2011/01/31 13:23:17 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.exe
[2011/01/30 16:45:57 | 001,350,232 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Chris\Desktop\cj.exe
[2011/01/30 16:44:58 | 001,350,232 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Chris\Desktop\tdsskiller.exe
[2011/01/29 14:32:50 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Chris\Desktop\HijackThis.exe
[2011/01/29 11:31:57 | 000,644,560 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavifw.avm
[2011/01/28 20:31:26 | 001,113,789 | ---- | M] () -- C:\Users\Chris\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/27 08:13:52 | 000,288,107 | ---- | M] () -- C:\Users\Chris\Desktop\gmer.zip
[2011/01/27 08:06:47 | 000,000,830 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/01/27 08:05:45 | 000,000,000 | ---- | M] () -- C:\Users\Chris\defogger_reenable
[2011/01/26 15:18:36 | 000,000,117 | ---- | M] () -- C:\Users\Chris\SecurityKISSTunnel.config
[2011/01/24 09:28:35 | 000,214,297 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2011/01/20 14:47:48 | 000,057,344 | ---- | M] () -- C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/11 20:13:37 | 000,000,000 | -H-- | M] () -- C:\Users\Chris\Documents\Default.rdp

========== Files Created - No Company Name ==========

[2011/02/01 02:46:16 | 000,453,632 | ---- | C] () -- C:\Users\Chris\Desktop\CKScanner.exe
[2011/01/31 21:55:40 | 000,001,638 | ---- | C] () -- C:\Users\Chris\Desktop\SBR Poker.lnk
[2011/01/31 21:55:02 | 001,674,937 | ---- | C] () -- C:\Users\Chris\Desktop\IMG_0421.JPG
[2011/01/28 20:31:03 | 001,113,789 | ---- | C] () -- C:\Users\Chris\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/27 08:13:52 | 000,288,107 | ---- | C] () -- C:\Users\Chris\Desktop\gmer.zip
[2011/01/27 08:05:45 | 000,000,000 | ---- | C] () -- C:\Users\Chris\defogger_reenable
[2011/01/11 20:13:37 | 000,000,000 | -H-- | C] () -- C:\Users\Chris\Documents\Default.rdp
[2010/12/12 17:19:23 | 000,000,036 | ---- | C] () -- C:\Users\Chris\AppData\Local\housecall.guid.cache
[2010/12/01 12:01:18 | 000,000,032 | ---- | C] () -- C:\Windows\wininit.ini
[2010/11/22 22:25:11 | 000,001,189 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\vso_ts_preview.xml
[2010/09/13 23:04:38 | 000,000,049 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010/08/29 18:00:06 | 000,000,008 | -HS- | C] () -- C:\Users\Chris\AppData\Roaming\date
[2010/08/29 18:00:05 | 000,000,002 | -HS- | C] () -- C:\Users\Chris\AppData\Roaming\evf6
[2010/08/04 16:57:48 | 000,217,088 | ---- | C] () -- C:\Windows\System32\LPng.dll
[2010/08/01 16:16:51 | 000,000,600 | ---- | C] () -- C:\Users\Chris\AppData\Local\PUTTY.RND
[2010/05/14 01:18:45 | 000,057,344 | ---- | C] () -- C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/04 22:59:20 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/04/27 19:13:35 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/04/26 14:13:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1472.dll
[2010/04/26 11:07:44 | 000,001,356 | ---- | C] () -- C:\Users\Chris\AppData\Local\d3d9caps.dat
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[1999/01/22 10:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/11/17 20:05:16 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\.BitTornado
[2010/11/17 21:54:24 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\AnvSoft
[2010/12/12 13:36:35 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\AVG10
[2010/07/28 17:54:52 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2010/08/29 17:39:57 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\DVDVideoSoftIEHelpers
[2010/11/04 21:06:56 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\EurekaLog
[2010/10/14 18:51:13 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\GlarySoft
[2010/08/08 22:13:15 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Hide IP NG
[2010/11/24 00:26:28 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\iolo
[2010/10/14 17:59:51 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Sony
[2010/11/14 20:54:46 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\StreamTorrent
[2011/01/30 16:14:48 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\uTorrent
[2010/12/30 16:05:27 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Vso
[2010/11/13 15:28:42 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Windows Live Writer
[2011/02/01 02:50:12 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/02/01 02:39:33 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9041E61C-EAA8-4812-9D7F-06B5A91EF327}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00350.MP4:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00304.MP4:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00303.MP4:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00302.MP4:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00247.MP4:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00149.MP4:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Chris\Documents\MOV00144.MP4:TOC.WMV
@Alternate Data Stream - 173 bytes -> C:\ProgramData\TEMP:FB1B13D8

< End of report >
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby tangerine » January 31st, 2011, 11:02 pm

there was also a scan which popped up after I rebooted my computer after pasting the above in
do you need to see that?
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby askey127 » February 1st, 2011, 7:36 am

tangerine,
(No, that's OK. I don't think you have a rootkit).
These directions should work exactly.
Do each step before proceeding to the next.
I would print this out first, to be sure you are doing everything in the correct sequence. Don't Guess. If you are not sure about something, stop and ask.

We are going to remove your AVG 2011 antivirus and replace it with an antivirus called Avira Antivir.
This is necessary to for all our tools to work corrrectly.

Then we will have Antivir run a scan and give us a report without removing anything.
-----------------------------------------------
Download Antivir Free
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Click the Download button. Then when the "Download Locations" page comes up, choose the first External Mirror (exe)
Save the Installer to your desktop, but don't run it yet. The installer file will be named avira_antivir_personal_en.exe
Double check to be sure you know where to find it.
------------------------------------------------
Remove AVG Antivirus Using the Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click this Entry, choose Uninstall/Change, and give permission to Continue:

AVG 2011

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------
Install Antivir
Right Click the Avira Antivir Installer you saved on your desktop, choose "Run as administrator", and let it Install Antivir.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any items it finds.
IMPORTANT >> For Now, tell it to IGNORE any items it finds. Do not choose Quarantine or Delete.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit help needed

Unread postby tangerine » February 1st, 2011, 8:38 am

Do i unistall all of avg or just the anti virus. I have avg security suite so if i unistall that i wont have a firewall on my computer. Thought i best ask. Is avg the culprit?
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby tangerine » February 1st, 2011, 8:59 am

my rootkit finder is coming up with the hidden registry key still
Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\35
Removable: No
Notes: (no more detail available)

I will wait regarding AVG until I hear from you whether to uninstall my paid for firewall too

thanks
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby askey127 » February 1st, 2011, 1:07 pm

Uninstall ALL of it, and proceed.
It is not the culprit, but it is blocking the kind of repairs we need.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit help needed

Unread postby tangerine » February 1st, 2011, 4:50 pm

Avira AntiVir Personal
Report file date: 01 February 2011 19:55

Scanning for 2446490 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHRIS-PC

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 14/01/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 10/01/2011 14:23:31
AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 10/01/2011 14:23:40
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 14:23:50
VBASE002.VDF : 7.11.0.1 2048 Bytes 14/12/2010 14:23:50
VBASE003.VDF : 7.11.0.2 2048 Bytes 14/12/2010 14:23:50
VBASE004.VDF : 7.11.0.3 2048 Bytes 14/12/2010 14:23:50
VBASE005.VDF : 7.11.0.4 2048 Bytes 14/12/2010 14:23:50
VBASE006.VDF : 7.11.0.5 2048 Bytes 14/12/2010 14:23:50
VBASE007.VDF : 7.11.0.6 2048 Bytes 14/12/2010 14:23:50
VBASE008.VDF : 7.11.0.7 2048 Bytes 14/12/2010 14:23:50
VBASE009.VDF : 7.11.0.8 2048 Bytes 14/12/2010 14:23:50
VBASE010.VDF : 7.11.0.9 2048 Bytes 14/12/2010 14:23:50
VBASE011.VDF : 7.11.0.10 2048 Bytes 14/12/2010 14:23:50
VBASE012.VDF : 7.11.0.11 2048 Bytes 14/12/2010 14:23:50
VBASE013.VDF : 7.11.0.52 128000 Bytes 16/12/2010 15:54:35
VBASE014.VDF : 7.11.0.91 226816 Bytes 20/12/2010 17:12:47
VBASE015.VDF : 7.11.0.122 136192 Bytes 21/12/2010 19:09:26
VBASE016.VDF : 7.11.0.156 122880 Bytes 24/12/2010 09:41:13
VBASE017.VDF : 7.11.0.185 146944 Bytes 27/12/2010 14:39:57
VBASE018.VDF : 7.11.0.228 132608 Bytes 30/12/2010 16:23:58
VBASE019.VDF : 7.11.1.5 148480 Bytes 03/01/2011 17:45:39
VBASE020.VDF : 7.11.1.37 156672 Bytes 07/01/2011 09:30:06
VBASE021.VDF : 7.11.1.65 140800 Bytes 10/01/2011 13:12:43
VBASE022.VDF : 7.11.1.87 225280 Bytes 11/01/2011 14:47:36
VBASE023.VDF : 7.11.1.124 125440 Bytes 14/01/2011 19:50:49
VBASE024.VDF : 7.11.1.155 132096 Bytes 17/01/2011 19:50:54
VBASE025.VDF : 7.11.1.189 451072 Bytes 20/01/2011 19:50:56
VBASE026.VDF : 7.11.1.230 138752 Bytes 24/01/2011 19:50:56
VBASE027.VDF : 7.11.2.12 164352 Bytes 27/01/2011 19:50:57
VBASE028.VDF : 7.11.2.43 178176 Bytes 01/02/2011 19:50:58
VBASE029.VDF : 7.11.2.44 2048 Bytes 01/02/2011 19:50:58
VBASE030.VDF : 7.11.2.45 2048 Bytes 01/02/2011 19:50:58
VBASE031.VDF : 7.11.2.50 60928 Bytes 01/02/2011 19:50:59
Engineversion : 8.2.4.158
AEVDF.DLL : 8.1.2.1 106868 Bytes 10/01/2011 14:23:26
AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 01/02/2011 19:51:09
AESCN.DLL : 8.1.7.2 127349 Bytes 10/01/2011 14:23:26
AESBX.DLL : 8.1.3.2 254324 Bytes 10/01/2011 14:23:26
AERDL.DLL : 8.1.9.2 635252 Bytes 10/01/2011 14:23:25
AEPACK.DLL : 8.2.4.9 512374 Bytes 01/02/2011 19:51:08
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 01/02/2011 19:51:06
AEHEUR.DLL : 8.1.2.70 3191159 Bytes 01/02/2011 19:51:06
AEHELP.DLL : 8.1.16.0 246136 Bytes 10/01/2011 14:23:19
AEGEN.DLL : 8.1.5.2 397683 Bytes 01/02/2011 19:51:01
AEEMU.DLL : 8.1.3.0 393589 Bytes 10/01/2011 14:23:18
AECORE.DLL : 8.1.19.2 196983 Bytes 01/02/2011 19:51:00
AEBB.DLL : 8.1.1.0 53618 Bytes 10/01/2011 14:23:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 10/01/2011 14:23:32
AVPREF.DLL : 10.0.0.0 44904 Bytes 10/01/2011 14:23:30
AVREP.DLL : 10.0.0.8 62209 Bytes 17/06/2010 14:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 10/01/2011 14:23:31
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 10/01/2011 14:23:31
AVARKT.DLL : 10.0.22.6 231784 Bytes 10/01/2011 14:23:27
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 10/01/2011 14:23:28
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 14:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 10/01/2011 14:23:31
NETNT.DLL : 10.0.0.0 11624 Bytes 17/06/2010 14:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 10/01/2011 14:23:52

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 01 February 2011 19:55

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'taskeng.exe' - '24' Module(s) have been scanned
Scan process 'SearchFilterHost.exe' - '32' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '51' Module(s) have been scanned
Scan process 'iexplore.exe' - '122' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '77' Module(s) have been scanned
Scan process 'avscan.exe' - '29' Module(s) have been scanned
Scan process 'taskeng.exe' - '28' Module(s) have been scanned
Scan process 'avcenter.exe' - '66' Module(s) have been scanned
Scan process 'avgnt.exe' - '49' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'GoogleToolbarUser_32.exe' - '64' Module(s) have been scanned
Scan process 'iexplore.exe' - '107' Module(s) have been scanned
Scan process 'iPodService.exe' - '30' Module(s) have been scanned
Scan process 'iexplore.exe' - '82' Module(s) have been scanned
Scan process 'BBC iPlayer Desktop.exe' - '89' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '64' Module(s) have been scanned
Scan process 'ehmsas.exe' - '21' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '29' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '57' Module(s) have been scanned
Scan process 'ehtray.exe' - '26' Module(s) have been scanned
Scan process 'sidebar.exe' - '70' Module(s) have been scanned
Scan process 'realsched.exe' - '32' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '74' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '27' Module(s) have been scanned
Scan process 'igfxpers.exe' - '23' Module(s) have been scanned
Scan process 'hkcmd.exe' - '23' Module(s) have been scanned
Scan process 'igfxtray.exe' - '24' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '50' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '63' Module(s) have been scanned
Scan process 'svchost.exe' - '7' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'SupServ.exe' - '19' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '31' Module(s) have been scanned
Scan process 'AERTSrv.exe' - '5' Module(s) have been scanned
Scan process 'Explorer.EXE' - '139' Module(s) have been scanned
Scan process 'taskeng.exe' - '79' Module(s) have been scanned
Scan process 'Dwm.exe' - '34' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'svchost.exe' - '59' Module(s) have been scanned
Scan process 'spoolsv.exe' - '80' Module(s) have been scanned
Scan process 'svchost.exe' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '86' Module(s) have been scanned
Scan process 'SLsvc.exe' - '26' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '145' Module(s) have been scanned
Scan process 'svchost.exe' - '81' Module(s) have been scanned
Scan process 'svchost.exe' - '69' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '59' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'winlogon.exe' - '30' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '992' files ).


Starting the file scan:

Begin scan in 'C:\'


End of the scan: 01 February 2011 20:48
Used time: 53:05 Minute(s)

The scan has been done completely.

19648 Scanned directories
291614 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
291614 Files not concerned
2409 Archives were scanned
0 Warnings
0 Notes
486707 Objects were scanned with rootkit scan
0 Hidden objects were found
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby askey127 » February 1st, 2011, 5:18 pm

tangerine,
Good so far.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or an infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVIRA ANTIVIR
    Please navigate to the system tray on the bottom right hand corner and look for an open umbrella on red background (looks like this:Image )
    • Right click it and untick any of the options AntiVir Guard enable, Antivir Webguard enable, and Antivir Mailguard enable, that are present.
    • You should now see a closed umbrella on a red background (looks like this: Image )
    The AntiVir Guards are now disabled.
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • It will run through about 50 tasks, and take a while to assemble the report.
    When finished, the report will open. Post the log in your next reply, and then Reenable your Antivir software
A copy of the log will be located here in the main directory of C: if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit help needed

Unread postby tangerine » February 1st, 2011, 5:45 pm

ComboFix 11-01-31.02 - Chris 01/02/2011 21:35:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3060.1853 [GMT 0:00]
Running from: c:\users\Chris\Desktop\zzz.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: COMODO Firewall *Disabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\hpe6CCE.dll
c:\users\Chris\AppData\Local\temp\ppcrlui_4972_2
c:\users\Chris\AppData\Roaming\EurekaLog
c:\users\Chris\AppData\Roaming\EurekaLog\a2start\a2start.elf
c:\windows\system32\system

.
((((((((((((((((((((((((( Files Created from 2011-01-01 to 2011-02-01 )))))))))))))))))))))))))))))))
.

2011-02-01 20:52 . 2011-02-01 20:52 -------- d-----w- c:\program files\COMODO
2011-02-01 20:51 . 2011-02-01 20:58 -------- d-----w- c:\programdata\Comodo
2011-02-01 19:54 . 2011-02-01 19:54 -------- d-----w- c:\users\Chris\AppData\Roaming\Avira
2011-02-01 19:49 . 2011-02-01 19:49 -------- d-----w- c:\programdata\Avira
2011-02-01 19:49 . 2011-02-01 19:49 -------- d-----w- c:\program files\Avira
2011-02-01 19:49 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-01 19:49 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-01 02:49 . 2011-02-01 02:49 -------- d-----w- C:\_OTL
2011-01-31 21:55 . 2011-01-31 21:57 -------- d-----w- c:\program files\SBR Poker
2011-01-25 17:02 . 2011-01-25 17:02 -------- d-----w- c:\users\Chris\AppData\Local\{5252F68E-6303-45FA-A6C6-5B1C01885A22}
2011-01-25 03:37 . 2011-01-25 03:37 -------- d-----w- c:\users\Chris\AppData\Local\{E2634623-18D9-4A49-B5EF-7B14B99E6582}
2011-01-24 09:25 . 2011-01-24 09:25 -------- d-----w- c:\users\Chris\AppData\Local\{B77FD3AF-E54F-4B22-8801-2B424F5D3425}
2011-01-23 20:58 . 2011-01-23 20:58 -------- d-----w- c:\users\Chris\AppData\Local\{664305D6-9604-4856-B60D-2AA7F76700B5}
2011-01-23 08:58 . 2011-01-23 08:58 -------- d-----w- c:\users\Chris\AppData\Local\{D215EB88-482C-4482-8F0B-0C684E21263A}
2011-01-22 10:10 . 2011-01-22 10:10 -------- d-----w- c:\users\Chris\AppData\Local\{7CBA5385-EDD6-454B-AA93-DD9FD450F0E4}
2011-01-21 07:32 . 2011-01-21 07:33 -------- d-----w- c:\users\Chris\AppData\Local\{F8600CFA-5256-41E0-B8B9-573D8A7A1946}
2011-01-20 18:32 . 2011-01-20 18:32 -------- d-----w- c:\users\Chris\AppData\Local\Apps
2011-01-20 18:30 . 2011-01-20 18:30 -------- d-----w- c:\program files\EASEUS
2011-01-20 15:33 . 2011-01-20 15:33 -------- d-----w- c:\users\Chris\AppData\Local\{C9EA280F-D05E-403C-B997-B57E66DA8405}
2011-01-20 03:33 . 2011-01-20 03:33 -------- d-----w- c:\users\Chris\AppData\Local\{5D70CD89-7CE2-4196-B22C-5AB3902E95DF}
2011-01-19 15:32 . 2011-01-19 15:33 -------- d-----w- c:\users\Chris\AppData\Local\{9F910F2A-5E86-48E7-8731-69915F6E3880}
2011-01-19 03:32 . 2011-01-19 03:32 -------- d-----w- c:\users\Chris\AppData\Local\{5FC3005B-5A86-46D7-B5E0-0AE2A1C9DFAD}
2011-01-18 15:32 . 2011-01-18 15:32 -------- d-----w- c:\users\Chris\AppData\Local\{8E23C7E4-33CB-4E85-9A19-297A8797A156}
2011-01-18 03:32 . 2011-01-18 03:32 -------- d-----w- c:\users\Chris\AppData\Local\{5562B105-9A84-4B18-AFC1-E7BF15015611}
2011-01-17 10:45 . 2011-01-17 10:45 -------- d-----w- c:\users\Chris\AppData\Local\{4E35672E-6163-4B6F-8E9A-D1E23D6A62D0}
2011-01-16 22:45 . 2011-01-16 22:45 -------- d-----w- c:\users\Chris\AppData\Local\{942218A8-1C55-4548-B775-01BFD76C871E}
2011-01-16 10:45 . 2011-01-16 10:45 -------- d-----w- c:\users\Chris\AppData\Local\{E242E99D-26B8-484F-973C-24625D766FA1}
2011-01-13 17:06 . 2011-01-13 17:06 -------- d-----w- c:\program files\Common Files\Scanner
2011-01-12 20:19 . 2011-01-15 04:09 -------- d-----w- c:\users\Chris\AppData\Local\Yahoo
2011-01-12 20:18 . 2011-01-15 05:23 -------- d-----w- c:\programdata\Yahoo!
2011-01-12 20:17 . 2011-01-15 05:24 -------- d-----w- c:\program files\Yahoo!
2011-01-11 19:55 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-11 19:55 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-11 19:55 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-11 19:55 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-11 19:55 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-01-11 19:55 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-11 19:55 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-01-06 17:36 . 2011-01-06 17:36 80064 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 17:36 . 2011-01-06 17:36 34744 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 17:36 . 2011-01-06 17:36 236600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 17:36 . 2011-01-06 17:36 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-29 01:42 . 2010-12-29 01:42 285480 ----a-w- c:\windows\system32\guard32.dll
2010-12-20 18:09 . 2010-10-05 05:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-10-05 05:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 22:55 . 2010-04-26 20:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-20 00:39 . 2010-11-20 00:39 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-20 00:39 . 2010-11-20 00:39 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-04 18:56 . 2010-12-15 09:38 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55 . 2010-12-15 09:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55 . 2010-12-15 09:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55 . 2010-12-15 09:38 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34 . 2010-12-15 09:38 171520 ----a-w- c:\windows\system32\taskeng.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-03 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-25 141848]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-11-20 274608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-17 2548552]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-11-18 142336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 136176]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-10-13 13224]
R3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\DRIVERS\gttap1.sys [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\77E.tmp [x]
R3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\DRIVERS\s0017bus.sys [2008-10-21 86824]
R3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0017mdfl.sys [2008-10-21 15016]
R3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0017mdm.sys [2008-10-21 114600]
R3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0017mgmt.sys [2008-10-21 108328]
R3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\DRIVERS\s0017nd5.sys [2008-10-21 26024]
R3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0017obex.sys [2008-10-21 104616]
R3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\DRIVERS\s0017unic.sys [2008-10-21 109736]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-01-06 236600]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-01-06 34744]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
S4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CMDGUARD
*NewlyCreated* - CMDHLP
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 05:37]

2011-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 05:37]

2011-02-01 c:\windows\Tasks\User_Feed_Synchronization-{9041E61C-EAA8-4812-9D7F-06B5A91EF327}.job
- c:\windows\system32\msfeedssync.exe [2010-12-15 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\prvkl47q.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-01 21:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\77E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\guard32.dll
.
Completion time: 2011-02-01 21:43:37
ComboFix-quarantined-files.txt 2011-02-01 21:43

Pre-Run: 223,586,574,336 bytes free
Post-Run: 222,872,649,728 bytes free

- - End Of File - - 5125B6C33427F0B1ADE37D835A77CD0D
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby askey127 » February 1st, 2011, 7:45 pm

What was the problem with Uninstalling Comodo?
I see it was disabled but still resident.

I also see that Windows Defender is still running.
Was there a problem following the original directions about it?

Please tell me about it.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit help needed

Unread postby tangerine » February 1st, 2011, 8:44 pm

There was nothing on windows defender how to disable it. went into tools and options and there wasnt a use windows defender box to tick. I put comodo free on after the scan as I had no firewall after I took avg off.
Avira has now found 4 hidden items as opposed to none earlier
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am

Re: Rootkit help needed

Unread postby tangerine » February 1st, 2011, 8:52 pm

what do I do now please?
tangerine
Regular Member
 
Posts: 27
Joined: January 29th, 2011, 10:28 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware