Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit infection: IRP hook

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 8th, 2012, 12:43 pm

Hihi mambass,:)

The contents of the OTL.txt logs:

OTL logfile created on: 9/4/2012 12:24:07 AM - Run 6
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 61.52% Memory free
7.17 Gb Paging File | 5.93 Gb Available in Paging File | 82.69% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 73.72 Gb Free Space | 54.02% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/02 16:13:08 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Delvin\Desktop\OTL.exe
PRC - [2012/03/07 23:04:12 | 000,250,528 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11g_ActiveX.exe
PRC - [2012/01/24 17:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/01/03 21:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/23 16:00:00 | 000,611,144 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK32.EXE
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/11/07 18:28:34 | 000,043,912 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\System32\atashost.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/07/29 15:50:16 | 000,238,952 | ---- | M] (Teruten) -- C:\Windows\System32\FsUsbExService.Exe
PRC - [2010/07/29 15:47:08 | 000,095,576 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
PRC - [2009/09/12 23:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2009/09/12 23:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2009/04/11 14:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/07 15:34:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/07/15 11:12:48 | 001,226,024 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
PRC - [2008/05/04 17:25:32 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/05/04 17:25:26 | 000,167,936 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/05/04 17:25:26 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2008/05/02 14:09:04 | 000,161,048 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/03/04 13:05:24 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2008/01/21 10:23:43 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wermgr.exe
PRC - [2007/12/21 10:58:06 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/11/12 19:07:24 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/11/12 19:07:20 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/11/12 19:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 13:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/11/03 17:55:50 | 000,703,280 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/11/03 17:55:48 | 001,583,920 | ---- | M] (Broadcom Corporation.) -- c:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/27 15:48:11 | 015,881,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MenuSkinning\b446e070c697bcde99455fb9d2d23444\MenuSkinning.ni.dll
MOD - [2012/02/27 15:47:45 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\e100f2c927dbb107291c21482fdb4052\System.Runtime.Remoting.ni.dll
MOD - [2012/02/27 15:47:36 | 000,284,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\6f1bab399434075465c8f1564222af0a\VistaBridgeLibrary.ni.dll
MOD - [2012/02/27 15:47:32 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\820791f89653e9df46efe41c00efae48\System.Management.ni.dll
MOD - [2012/02/27 15:47:31 | 002,261,504 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\DellDock\8320ac350e711c9f129afd4d9d4e5d33\DellDock.ni.exe
MOD - [2012/02/27 15:47:30 | 000,249,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\9e03762d0cfcd79faa816931137bd223\MyDock.Util.ni.dll
MOD - [2012/02/27 15:47:19 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\1ea918174326bc2a310308b11cb80721\System.Configuration.ni.dll
MOD - [2012/02/27 15:45:51 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\313f790d68a283f7545637411cba47c7\System.Xml.ni.dll
MOD - [2012/02/27 15:45:33 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\79dd363816fceb437bf6e8e73a7dbdb0\System.Windows.Forms.ni.dll
MOD - [2012/02/27 15:45:23 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\b0ccf39346a1a31a18a232624160549f\System.Drawing.ni.dll
MOD - [2012/02/27 15:44:03 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\4651b4ee1d7f85b55e2e8c8783f990dd\System.ni.dll
MOD - [2011/10/12 23:51:39 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e8bc8d1dbf06ea7cfd5a9ce85db5ed63\Accessibility.ni.dll
MOD - [2011/10/12 23:38:58 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38d7c2518832a98b9bdda59abda43b86\mscorlib.ni.dll
MOD - [2009/01/20 15:36:20 | 000,055,808 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll
MOD - [2006/11/03 17:46:24 | 000,126,976 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2006/11/03 17:25:56 | 000,389,120 | ---- | M] () -- C:\Windows\System32\btwhidcs.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/03 21:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/11/07 18:28:34 | 000,043,912 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\System32\atashost.exe -- (atashost)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/09/07 00:20:29 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\srvsvc.dll -- (LanmanServer)
SRV - [2010/07/29 15:50:16 | 000,238,952 | ---- | M] (Teruten) [Auto | Running] -- C:\Windows\System32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2009/10/01 09:01:54 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\wpdbusenum.dll -- (WPDBusEnum)
SRV - [2009/04/11 14:28:24 | 000,000,000 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\System32\regsvc.dll -- (RemoteRegistry)
SRV - [2009/04/11 14:28:18 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\cryptsvc.dll -- (CryptSvc)
SRV - [2009/04/07 15:34:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/05/02 14:09:04 | 000,161,048 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/01/21 10:24:35 | 000,134,656 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\dps.dll -- (DPS)
SRV - [2008/01/21 10:24:05 | 000,075,264 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\trkwks.dll -- (TrkWks)
SRV - [2008/01/21 10:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/21 10:23:27 | 000,104,960 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\System32\sdrsvc.dll -- (SDRSVC)
SRV - [2007/11/12 19:07:20 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/11/12 19:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2006/11/02 20:35:24 | 000,068,096 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\TabSvc.dll -- (TabletInputService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:16 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:02 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:00 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/07/11 01:13:58 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/06/14 08:32:54 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/09/08 18:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2009/04/07 15:33:08 | 000,026,416 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2009/04/07 15:33:08 | 000,024,880 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\pnarp.sys -- (pnarp)
DRV - [2009/01/20 15:36:12 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2008/06/23 20:45:44 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2008/05/04 17:25:24 | 000,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/03/06 15:58:44 | 000,111,616 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV - [2008/03/04 13:05:34 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2008/03/04 13:05:18 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2008/01/21 10:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/11/12 19:07:28 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/09/17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/09/07 00:35:16 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/09/07 00:35:14 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/09/07 00:35:12 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/02 15:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://xin.msn.com/
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://xin.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-sg
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 62 B9 BE C5 6A CC 01 [binary data]
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?FORM=WLETDF&PC=WLEM&q={searchTerms}&src=IE-SearchBox
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{A16B4E67-8316-4F56-953F-3EE0264EAEAB}: "URL" = http://search.avg.com/route/?d=4b7656a7 ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/02 00:33:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/08 22:27:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/08 23:21:36 | 000,000,000 | ---D | M]

[2010/12/05 14:41:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Delvin\AppData\Roaming\Mozilla\Extensions
[2011/02/15 10:03:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Delvin\AppData\Roaming\Mozilla\Firefox\Profiles\qeffn5z8.default\extensions
[2011/02/15 10:03:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Delvin\AppData\Roaming\Mozilla\Firefox\Profiles\qeffn5z8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/04/08 22:39:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/05 20:10:50 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2012/03/29 16:39:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/02/02 00:33:38 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2009/09/12 23:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2009/09/12 23:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2009/09/12 23:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2009/09/12 23:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2012/03/29 16:38:53 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/09/12 23:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2009/09/12 23:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: TVU Web Player for FireFox (Enabled) = C:\Program Files\TVUPlayer\npTVUAx.dll
CHR - plugin: Veetle TV Player (Enabled) = C:\Program Files\Veetle\Player\npvlc.dll
CHR - plugin: Veetle Broadcaster Plugin (Enabled) = C:\Program Files\Veetle\VLCBroadcast\npvbp.dll
CHR - plugin: Veetle TV Core (Enabled) = C:\Program Files\Veetle\plugins\npVeetle.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Users\Delvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Users\Delvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2006/09/19 05:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Delvin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} http://kitchenplanner.ikea.com/US/Core/ ... _Win32.cab (20-20 3D Viewer)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} http://messenger.zone.msn.com/Messenger ... 109791.cab ()
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/So ... b56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/Messenger ... E_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} http://xserv.dell.com/DellDriverScanner/DellSystem.CAB (DellSystem.Scanner)
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} http://www.cpf.gov.sg/cpf_info/ehelpdesk/ehelpdesk.cab (ExecuteAgent2p Class)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/ ... emLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Me ... b56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/Mi ... b56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 218.186.1.58 218.186.2.16 218.186.2.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{28991DB4-F1C4-4706-AD45-4916F2B65107}: DhcpNameServer = 218.186.1.58 218.186.2.16 218.186.2.6
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Delvin\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Delvin\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 05:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/08 22:37:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/04/08 13:52:01 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\hidclasscopy.sys
[2012/04/08 13:52:01 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\hidusbcopy.sys
[2012/04/07 20:17:21 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2012/04/07 19:49:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
[2012/04/07 19:48:45 | 000,000,000 | ---D | C] -- C:\Users\Delvin\AppData\Local\WinZip
[2012/04/07 19:48:09 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2012/04/07 19:48:00 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2012/04/07 19:41:30 | 000,000,000 | ---D | C] -- C:\Users\Delvin\Desktop\CFA
[2012/04/05 22:38:05 | 000,000,000 | ---D | C] -- C:\Users\Delvin\Documents\estatements
[2012/04/05 21:09:48 | 000,000,000 | ---D | C] -- C:\Users\Delvin\Documents\Insurance
[2012/04/02 16:13:06 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\Delvin\Desktop\OTL.exe
[2012/03/30 18:46:10 | 000,000,000 | ---D | C] -- C:\Users\Delvin\Desktop\Rootkit infection_IRP hook
[2012/03/29 16:39:08 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/03/29 16:39:08 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/03/29 16:39:08 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/03/29 16:38:48 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/03/29 16:33:36 | 000,000,000 | ---D | C] -- C:\Program Files\Marvell
[2012/03/29 02:56:51 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco
[2012/03/29 02:55:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Wireless
[2012/03/29 02:54:41 | 000,018,424 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\drivers\bcm42rly.sys
[2012/03/29 02:54:39 | 006,369,280 | ---- | C] (Dell Inc.) -- C:\Windows\System32\BCMWLCPL.CPL
[2012/03/29 02:54:39 | 000,286,720 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmwlu00.exe
[2012/03/29 02:54:39 | 000,065,536 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\wltrynt.dll
[2012/03/29 02:54:37 | 000,163,840 | ---- | C] (Broadcom Corp.) -- C:\Windows\System32\bcmwlapi.dll
[2012/03/29 02:54:26 | 000,000,000 | ---D | C] -- C:\Users\Delvin\AppData\Roaming\InstallShield
[2012/03/24 12:34:42 | 002,044,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/03/24 12:34:40 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2012/03/24 12:34:40 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2012/03/24 12:34:40 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2012/03/24 12:34:40 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2012/03/24 12:34:40 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2012/03/24 12:34:38 | 000,613,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpencom.dll

========== Files - Modified Within 30 Days ==========

[2012/04/09 00:00:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/08 23:51:29 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/08 23:51:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/08 23:51:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/08 23:51:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/08 23:51:08 | 3747,655,680 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/08 23:50:11 | 000,001,076 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/04/08 21:58:00 | 094,161,389 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/04/07 21:33:10 | 000,000,144 | ---- | M] () -- C:\MWRcopy.bat
[2012/04/07 19:49:01 | 000,001,800 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2012/04/03 10:35:02 | 000,100,638 | ---- | M] () -- C:\Users\Delvin\Desktop\Medical Screening_Appointment Letterhead - Yeo Siok Boon.pdf
[2012/04/02 16:13:08 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Delvin\Desktop\OTL.exe
[2012/03/30 18:10:25 | 000,001,906 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120330_181021.reg
[2012/03/29 16:38:53 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/03/29 16:38:53 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/03/29 16:38:53 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/03/29 16:38:52 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2012/03/29 16:09:28 | 000,001,278 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120329_160915.reg
[2012/03/29 02:54:54 | 000,772,936 | ---- | M] () -- C:\Windows\System32\oem108.inf
[2012/03/27 00:26:30 | 000,000,994 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120327_002618.reg
[2012/03/24 22:10:03 | 000,000,372 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120324_220953.reg
[2012/03/24 19:07:42 | 000,285,336 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/03/24 14:56:27 | 000,000,830 | ---- | M] () -- C:\Users\Delvin\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner - Shortcut.lnk
[2012/03/24 13:24:51 | 000,150,176 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120324_132418.reg
[2012/03/24 12:34:22 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjw.avm
[2012/03/22 00:40:09 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ddrawex.dll
[2012/03/22 00:40:04 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dhcpcsvc6.dll

========== Files Created - No Company Name ==========

[2012/04/08 23:21:36 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/04/07 21:33:10 | 000,000,144 | ---- | C] () -- C:\MWRcopy.bat
[2012/04/07 19:48:53 | 000,001,800 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2012/04/03 10:35:02 | 000,100,638 | ---- | C] () -- C:\Users\Delvin\Desktop\Medical Screening_Appointment Letterhead - Yeo Siok Boon.pdf
[2012/03/30 18:10:23 | 000,001,906 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120330_181021.reg
[2012/03/29 16:09:19 | 000,001,278 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120329_160915.reg
[2012/03/29 02:55:13 | 000,772,936 | ---- | C] () -- C:\Windows\System32\oem108.inf
[2012/03/29 02:54:41 | 000,001,591 | ---- | C] () -- C:\Windows\System32\Uninst_EAPModules.bat
[2012/03/29 02:54:39 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2012/03/29 02:54:38 | 000,024,064 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2012/03/29 02:24:42 | 000,772,296 | ---- | C] () -- C:\Windows\System32\oem8.inf
[2012/03/27 00:26:21 | 000,000,994 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120327_002618.reg
[2012/03/24 22:09:56 | 000,000,372 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120324_220953.reg
[2012/03/24 14:56:27 | 000,000,830 | ---- | C] () -- C:\Users\Delvin\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner - Shortcut.lnk
[2012/03/24 13:24:30 | 000,150,176 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120324_132418.reg
[2011/10/28 21:28:34 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi
[2011/02/24 01:18:09 | 000,000,000 | ---- | C] () -- C:\Windows\System32\WsmRes.dll
[2010/12/11 13:05:21 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2010/12/11 13:05:21 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2010/12/05 20:11:35 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/10/15 01:06:20 | 000,000,000 | ---- | C] () -- C:\Windows\System32\srvsvc.dll

========== LOP Check ==========

[2010/10/20 13:43:39 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\ADInstruments
[2011/10/14 19:44:45 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\AVG2012
[2010/03/05 19:47:13 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\AVG9
[2012/01/19 22:58:03 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\ICAClient
[2010/12/11 13:33:58 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\PC Suite
[2010/12/11 13:05:14 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\Samsung
[2011/02/14 21:47:14 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\tmp
[2010/12/15 05:20:45 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\Windows Live Writer
[2012/04/08 23:50:11 | 000,032,616 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am
Advertisement
Register to Remove

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 8th, 2012, 12:45 pm

Hihi mambass,:)

The contents of the Extras.txt logs:

OTL Extras logfile created on: 9/4/2012 12:24:07 AM - Run 6
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 61.52% Memory free
7.17 Gb Paging File | 5.93 Gb Available in Paging File | 82.69% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 73.72 Gb Free Space | 54.02% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{040E9309-2874-4534-81B2-1D7B1F5CD984}" = lport=137 | protocol=17 | dir=in | app=system |
"{051C9E49-EE18-4F9A-B42B-46B3A5142AE0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{0929011D-DE46-4F17-A277-892EEDDADCAF}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{18BFEE6A-604C-4B17-9AAE-711C4725048B}" = lport=139 | protocol=6 | dir=in | app=system |
"{1CD021AD-8F6C-44A4-A780-613780CC9FFC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{368B625A-1813-4FA9-BBC6-C5C003964CB1}" = lport=138 | protocol=17 | dir=in | app=system |
"{4F575EE3-0603-48E5-AB4F-4577D3BD0F0D}" = rport=139 | protocol=6 | dir=out | app=system |
"{568C053F-514C-41EB-9E45-E8833AD00C65}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{5A8F5662-A7C0-4ECB-85B1-7524453BAA25}" = lport=2869 | protocol=6 | dir=in | app=system |
"{5D45647D-402E-41C3-AC35-A9B5D9E81386}" = rport=138 | protocol=17 | dir=out | app=system |
"{5E8FA4D7-BDB6-479F-B667-02A9CCF85CCF}" = rport=2869 | protocol=6 | dir=out | app=system |
"{5EDAAAE5-8004-4D31-9975-6D2D421AA294}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6B006F45-A3A6-4A07-9379-72D6461AC087}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{7FB41FFD-1711-477D-A406-987C08B8448A}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{899B0A38-EDA4-4F75-955E-3011B7339F6C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9C7E3495-151D-4091-B7F1-69764B219F76}" = rport=137 | protocol=17 | dir=out | app=system |
"{9E1080A7-4502-488F-8685-6BF69BA143EE}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{B5CBD735-4487-4872-8B96-448402C7C68C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{C5702CE9-93B4-43CA-AC77-BBFB7FC551D3}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{CB8CFC8D-2215-44AD-98C8-166A06903B3D}" = rport=445 | protocol=6 | dir=out | app=system |
"{D8BB16F3-2DE0-4E82-8F55-36D62E5E7C1C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{F2CF22C0-FA18-43EA-9C42-59BBF3D45375}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{015EB128-73E9-4327-8E13-FD2AC18DD301}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{02F9789E-037B-4A8B-8E32-DBA8A6925785}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{0381A04E-905C-454F-9C02-760B71D6C483}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{062B54B3-E411-4903-A130-13D7D10B2B8B}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{0F3BB19F-BFE9-407F-B4C0-EF270BC50928}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{11A29F3E-7DE9-4BCC-9916-C3BB00457E03}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{13BEB933-7755-4042-8F19-320FA8A40A73}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{1C1B5074-2900-4FF7-BB12-4CDAB9748C8B}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{228498CD-29FE-440C-9963-2CE8BD6380D4}" = protocol=6 | dir=in | app=c:\program files\common files\pure networks shared\platform\nmsrvc.exe |
"{30DB115B-833F-4384-A3E7-7EF9E6C4228B}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{3CA08911-C0B8-4DAA-AB68-EAD12D3C3978}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{5C8E6816-281C-4B8A-86AD-30FAC5A3E6F5}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{5F03FDFB-1AC5-4F7D-B448-2FED22ECC162}" = protocol=6 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{63387967-5AF5-4CC1-AF02-54760DB9B9CF}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{6CA4FF73-C218-4167-985A-69FA532E4CBD}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{746C5026-C88E-474D-9378-13C06ADE0EB6}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{74B7EE73-3A6E-4D05-A7B3-43DDC5F516DA}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{84375BBC-59F6-4A2C-9576-0F2DF1B53B5C}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{8BBC98C7-6F0E-4547-9DE4-BF4838144A5E}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{91B29949-60F0-4897-9B3E-4C86D3104A6E}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{A62A342B-B4F2-46EF-8554-8F9DEC7E8F5A}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{A830840D-DEC5-41F2-8DC5-395BE4B902CB}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{B770275F-08D3-44CF-BE47-391ED77B8B58}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{BFCCB262-DD77-4D1F-B4E3-F65423FE848E}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{C70893E3-5BAD-4CBC-8C36-2B37501FD423}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{C7AF6FFE-8AFF-4FA3-8504-55C9C6D392A7}" = protocol=17 | dir=in | app=c:\program files\common files\pure networks shared\platform\nmsrvc.exe |
"{D5B52B22-C8FE-4EC1-9513-753317065C7B}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{DC9E3D9C-906F-4284-A728-531D14223F6B}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{E4EECD26-FA85-402C-B309-83CA65ECFC7D}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{F220603B-51A1-4F32-B6AA-4EADB0352E36}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F50F1CD0-E648-486C-96D0-A6C566599DF9}" = protocol=17 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"TCP Query User{4D33D729-DC29-4A79-ABDF-2ED4EF43A3B6}C:\program files\tvuplayer\tvuplayer.exe" = protocol=6 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"TCP Query User{73B79C17-9FAA-49BF-8E92-5F4403CE89BA}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{D55CEA56-DB6E-464D-8971-7A23B8E11E44}C:\program files\tvuplayer\tvuplayer.exe" = protocol=6 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"TCP Query User{FAE476D7-35D1-4B88-981C-832D59E01214}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{372892F2-AD01-457E-9BB0-B19FF030E58D}C:\program files\tvuplayer\tvuplayer.exe" = protocol=17 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"UDP Query User{4405F7F7-A577-4711-9A0B-6C82577430C2}C:\program files\tvuplayer\tvuplayer.exe" = protocol=17 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"UDP Query User{D0DC45D9-1181-4C0A-AAB2-748329FE0B3D}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{DAB819D9-4759-49FE-B278-51A42B3C6E39}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{069C1AD7-AC72-40E0-A156-7442EA6A48D7}" = AVG 2012
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{226837D8-0BF8-4CBE-BAB2-8F07E2C2B4DD}" = HP Deskjet 1050 J410 series Basic Device Software
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B6AD248-D3BF-426A-8D64-847288154F13}" = QuickSet
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
"{5BA1D11C-B981-4CAA-B2B5-B8ADF413EBA5}" = Pure Networks Platform
"{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}" = HP Deskjet 1050 J410 series Help
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75CDF2CA-5F89-4BC8-9556-CF70782CBD17}" = Motorola Phone Tools
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}" = WIDCOMM Bluetooth Software 6.0.1.3100
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}" = Linksys Wireless-G USB Network Adapter
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240CC}" = WinZip 16.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D8CE69B0-9274-4b8c-BA49-0FF6A20A3C65}" = SAMSUNG SYMBIAN USB Download Driver
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FE51E68C-C4A7-4F74-8B09-CF61662EE304}" = ADInstruments LabChart 7.1
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AVG" = AVG 2012
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"DVD Decrypter" = DVD Decrypter (Remove Only)
"Google Chrome" = Google Chrome
"HP Photo Creations" = HP Photo Creations
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"Intelli-studio" = SAMSUNG Intelli-studio
"Marvell Miniport Driver" = Marvell Miniport Driver
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Network MagicUninstall" = Network Magic
"TVUPlayer" = TVUPlayer 2.5.3.1
"Veetle TV" = Veetle TV 0.9.17
"WinLiveSuite" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/12/2011 12:22:42 AM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4622
Description =

Error - 14/12/2011 7:06:23 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 19/12/2011 3:36:20 AM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 23/12/2011 12:35:23 PM | Computer Name = Delvin-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 14d0 Start Time: 01ccc190bc9f05bf Termination Time: 15

Error - 23/12/2011 1:21:00 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 25/12/2011 12:18:17 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 31/12/2011 3:49:03 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 4/1/2012 11:19:07 AM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

Error - 4/1/2012 9:01:55 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4622
Description =

Error - 6/1/2012 12:04:39 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

[ Broadcom Wireless LAN Events ]
Error - 24/9/2011 1:02:27 PM | Computer Name = Delvin-PC | Source = WLAN-Tray | ID = 0
Description = 01:02:27, Sun, Sep 25, 11 Error - User "" does not have administrative
privileges on this system

Error - 12/10/2011 6:53:35 AM | Computer Name = Delvin-PC | Source = WLAN-Tray | ID = 0
Description = 18:53:35, Wed, Oct 12, 11 Error - User "" does not have administrative
privileges on this system

Error - 11/12/2011 1:30:31 AM | Computer Name = Delvin-PC | Source = WLAN-Tray | ID = 0
Description = 13:30:31, Sun, Dec 11, 11 Error - User "" does not have administrative
privileges on this system

[ System Events ]
Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 8/4/2012 11:52:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 8/4/2012 11:53:45 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 8/4/2012 11:54:39 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7034
Description =


< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 9th, 2012, 10:12 am

Hi Delvin, :)

Let's see if we can figure out what was causing OTL to hang. If any one of the OTL tasks below hangs then please mention that in your reply and move on to the next task.

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Perform a Custom Fix with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :processes
      killallprocesses
      
      :Files
      C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
      C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
      C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
      C:\Users\Delvin\AppData\Roaming\ParetoLogic
      C:\Users\Delvin\AppData\Roaming\DriverCure
      C:\ProgramData\ParetoLogic
      C:\Program Files\McAfee
      C:\Program Files\4shared.com
      C:\Program Files\Zynga
      C:\Program Files\Online_Radio_India
      C:\Program Files\FilmFanaticEI
      C:\Program Files\ConduitEngine
      
      
    3. Close all running applications other than OTL.
    4. Click the Run Fix button at the top.
    5. Let the program run unhindered and reboot the PC when it is done.
    6. When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    7. Copy the contents of that file and post it in your next reply. The log can also be found, based on the date/time it was created, as C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log.


  2. Perform a Custom Fix with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :Commands
      [EMPTYTEMP]
      
      
    3. Close all running applications other than OTL.
    4. Click the Run Fix button at the top.
    5. Let the program run unhindered and reboot the PC when it is done.
    6. When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    7. Copy the contents of that file and post it in your next reply. The log can also be found, based on the date/time it was created, as C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log.


  3. Perform a Custom Fix with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :Commands
      [CREATERESTOREPOINT]
      
      
    3. Close all running applications other than OTL.
    4. Click the Run Fix button at the top.
    5. After the System Restore Point is created, a Notepad text file will appear.
    6. Copy the contents of that file and post it in your next reply. The log can also be found, based on the date/time it was created, as C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log.


  4. Run DDS
    1. Right-click the DDS icon on your Desktop and select Run As Administrator to run the program.
    2. Two logs will open when the scan is complete
      • DDS.txt
      • Attach.txt
    3. Post the contents of both logs in your reply.


Please include in your reply (use separate replies if more convenient):
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL fix logs.
  3. The contents of the DDS.txt and Attach.txt logs


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 9th, 2012, 11:39 am

I. Perform a Custom Fix with OTL:

========== PROCESSES ==========
All processes killed
========== FILES ==========
File\Folder C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} not found.
File\Folder C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} not found.
File\Folder C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} not found.
File\Folder C:\Users\Delvin\AppData\Roaming\ParetoLogic not found.
File\Folder C:\Users\Delvin\AppData\Roaming\DriverCure not found.
File\Folder C:\ProgramData\ParetoLogic not found.
File\Folder C:\Program Files\McAfee not found.
File\Folder C:\Program Files\4shared.com not found.
File\Folder C:\Program Files\Zynga not found.
File\Folder C:\Program Files\Online_Radio_India not found.
File\Folder C:\Program Files\FilmFanaticEI not found.
File\Folder C:\Program Files\ConduitEngine not found.

OTL by OldTimer - Version 3.2.39.2 log created on 04092012_231757

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 9th, 2012, 11:50 am

II. Perform a Custom Fix with OTL:

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Delvin
->Temp folder emptied: 37813 bytes
->Temporary Internet Files folder emptied: 5784458 bytes
->Java cache emptied: 4049 bytes
->FireFox cache emptied: 49472039 bytes
->Google Chrome cache emptied: 37720045 bytes
->Flash cache emptied: 470 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13976827 bytes
RecycleBin emptied: 965537087 bytes

Total Files Cleaned = 1,023.00 mb


OTL by OldTimer - Version 3.2.39.2 log created on 04092012_234129

Files\Folders moved on Reboot...
C:\Windows\temp\wbxtra_04092012_232537.wbt moved successfully.

Registry entries deleted on Reboot...
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 9th, 2012, 11:54 am

III. Perform a Custom Fix with OTL:

========== COMMANDS ==========


OTL by OldTimer - Version 3.2.39.2 log created on 04092012_235349
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 9th, 2012, 12:07 pm

IV. Run DDS:

sorry i couldn't locate DDS icon in my comp. would u mind guiding me how to download it again?

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 9th, 2012, 12:12 pm

Hi Delvin, :)

The instructions for downloading DDS can be found here.

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 9th, 2012, 5:10 pm

Hihi mambass,:)

below are the logs for DDS and Attach. i did not run as administrator.

DDS.txt logs:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Delvin at 0:19:58 on 2012-04-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3573.1741 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\atashost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Users\Delvin\Desktop\OTL.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Delvin\Desktop\dds.scr
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [NPSStartup]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\delvin\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/US/Core/ ... _Win32.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/Messenger ... 109791.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/So ... b56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/Messenger ... E_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {B151B524-F451-4036-9663-B3944FA710DF} - hxxp://www.cpf.gov.sg/cpf_info/ehelpdesk/ehelpdesk.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/ ... emLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/Me ... b56907.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/Mi ... b56986.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\delvin\appdata\roaming\mozilla\firefox\profiles\qeffn5z8.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff10.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff9.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-10-7 73728]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2011-10-28 43912]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-12-11 238952]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-12-11 36608]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-10-8 111616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-08 14:37:56 -------- d-----w- C:\_OTL
2012-04-08 05:52:01 39424 ----a-w- C:\hidclasscopy.sys
2012-04-08 05:52:01 12800 ----a-w- C:\hidusbcopy.sys
2012-04-07 13:33:10 144 ----a-w- C:\MWRcopy.bat
2012-04-07 11:48:45 -------- d-----w- c:\users\delvin\appdata\local\WinZip
2012-03-29 08:33:36 -------- d-----w- c:\program files\Marvell
2012-03-28 18:56:51 -------- d-----w- c:\program files\Cisco
2012-03-28 18:54:41 18424 ----a-w- c:\windows\system32\drivers\bcm42rly.sys
2012-03-28 18:54:41 1591 ----a-w- c:\windows\system32\Uninst_EAPModules.bat
2012-03-28 18:54:39 65536 ----a-w- c:\windows\system32\wltrynt.dll
2012-03-28 18:54:39 6369280 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2012-03-28 18:54:39 55808 ----a-w- c:\windows\system32\bcmwlrmt.dll
2012-03-28 18:54:39 286720 ----a-w- c:\windows\system32\bcmwlu00.exe
2012-03-28 18:54:38 3563520 ----a-w- c:\windows\system32\WLTRAY.EXE
2012-03-28 18:54:38 2654208 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2012-03-28 18:54:38 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2012-03-28 18:54:37 163840 ----a-w- c:\windows\system32\bcmwlapi.dll
2012-03-24 04:35:45 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f09cab12-a79a-4b1b-bddf-d9baf4c4ae7d}\mpengine.dll
2012-03-24 04:34:42 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-24 04:34:40 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-24 04:34:40 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-24 04:34:40 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-24 04:34:40 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-24 04:34:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-24 04:34:39 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-24 04:34:38 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-24 04:34:38 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M ====================
.
2012-03-29 08:38:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 16:40:09 30208 ----a-w- c:\windows\system32\ddrawex.dll
2012-03-21 16:40:04 130560 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-03-21 16:39:57 81920 ----a-w- c:\windows\system32\dwm.exe
2012-03-07 15:04:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 01:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 10:23:10 313120 ----a-w- c:\windows\system32\drivers\yk60x86.sys
.
============= FINISH: 0:21:00.04 ===============

Attach.txt logs:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 7/10/2008 11:59:12 PM
System Uptime: 9/4/2012 11:43:30 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0U990C
Processor: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz | Microprocessor | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 136 GiB total, 74.971 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.127 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Acrobat.com
ADInstruments LabChart 7.1
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11
Advanced Audio FX Engine
Advanced Video FX Engine
Avanquest update
AVG 2012
Bing Bar
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
D3DX10
Dell Dock
Dell Getting Started Guide
Dell Support Center
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Digital Line Detect
DVD Decrypter (Remove Only)
EDocs
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet 1050 J410 series Basic Device Software
HP Deskjet 1050 J410 series Help
HP Photo Creations
HP Update
Intel(R) Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
Laptop Integrated Webcam Driver (1.04.01.1011)
Linksys Wireless-G USB Network Adapter
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Marvell Miniport Driver
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Modem Diagnostic Tool
Motorola Phone Tools
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Network Magic
OutlookAddinSetup
PC Connectivity Solution
Pure Networks Platform
QuickSet
SAMSUNG Intelli-studio
Samsung New PC Studio
SAMSUNG SYMBIAN USB Download Driver
SAMSUNG USB Driver for Mobile Phones
SamsungConnectivityCableDriver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Segoe UI
Skype Toolbars
Skype™ 5.0
Smart Menus (Windows Live Toolbar)
TVUPlayer 2.5.3.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Veetle TV 0.9.17
WebEx
WebEx Support Manager for Internet Explorer
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinZip 16.0
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/4/2012 11:46:57 PM, Error: Service Control Manager [7034] - The Pure Networks Platform Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2012 11:46:06 PM, Error: Service Control Manager [7022] - The Pure Networks Platform Service service hung on starting.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The WPDBusEnum service terminated with the following error: WPDBusEnum is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The WLAN AutoConfig service terminated with the following error: WLAN AutoConfig is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The TrkWks service terminated with the following error: TrkWks is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The TabletInputService service terminated with the following error: TabletInputService is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The LanmanServer service terminated with the following error: LanmanServer is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The DPS service terminated with the following error: DPS is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7023] - The CryptSvc service terminated with the following error: CryptSvc is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the LanmanServer service which failed to start because of the following error: Computer Browser is not a valid Win32 application.
9/4/2012 11:45:31 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/4/2012 10:11:48 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 9 for Windows Vista.
9/4/2012 10:11:48 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070426: Update Rollup for ActiveX Killbits for Windows Vista (KB2647518).
9/4/2012 10:08:57 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB2647518 (Security Update) into Resolved(Resolved) state
8/4/2012 11:22:27 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/4/2012 11:22:26 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
8/4/2012 11:22:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/4/2012 10:50:53 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the XAudioService service to connect.
8/4/2012 10:50:53 PM, Error: Service Control Manager [7000] - The XAudioService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/4/2012 6:10:55 PM, Error: EventLog [6008] - The previous system shutdown at 12:43:14 AM on 7/4/2012 was unexpected.
6/4/2012 9:57:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 00219BEA4909 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
6/4/2012 9:56:54 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 116.87.20.126 for the Network Card with network address 00219BEA4909 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
6/4/2012 8:08:40 AM, Error: Service Control Manager [7043] - The AVG WatchDog service did not shut down properly after receiving a preshutdown control.
6/4/2012 11:18:17 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 9th, 2012, 5:17 pm

Hi Delvin, :)

Could you please run them again right-clicking the icon and selecting Run As Administrator? There's something that I want to see that I'm not seeing.

Thanks!

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 10th, 2012, 9:40 am

Hi mambass,:)

Actually i meant to say i didn't run as administrator b'coz there is no such option when i right-click on the icon. There are "test", "configure" and "install" options. The icon file is in .scr type.

I also tried to d/l another icon file which is in .com type. No run as administrator option either. Any idea? thanks

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 11th, 2012, 11:12 am

Hi Delvin, :)

I'm concerned that DDS is not reporting the presence of any System Restore Points. Let see if any exist and if there are any issues related to System Restore Points.

  1. Download and Run Farbar Service Scanner
    1. Click here to download FSS.exe by Farbar and save it to your Desktop.
    2. Right-click the FSS.exe icon on your Desktop and select Run As Administrator to run the program.
    3. Check (tick) the following boxes
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center/Action Center
      • Windows Update
      • Windows Defender
    4. Click the Scan button.
    5. File FSS.txt will appear on your Desktop once the scan has completed and will also be opened in a Notepad window. Please provide the contents of this log in your reply.

  2. Check for existing System Restore Points
    1. Click Start and then in the Start Search Box type System Restore and press the Enter key. The System Restore wizard should be displayed.
    2. Click the Next button. A list of System Restore Points should be displayed.
    3. Report back in your reply the Description (name) of the System Restore Points that have been created in the past week.
    4. Click the Cancel button to exit the wizard. We do not want to perform a system restore but rather simply identify recently created restore points.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the FSS.txt log.
  3. The Description (name) of the System Restore Points created in the past week.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 12th, 2012, 10:34 am

Hihi mambass, :)

2. The contents of the FSS.txt log:

Farbar Service Scanner Version: 01-03-2012
Ran by Delvin (administrator) on 12-04-2012 at 22:32:08
Running from "C:\Users\Delvin\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.
Checking LEGACY_cryptsvc: Attention! Unable to open LEGACY_cryptsvc\0000 registry key. The key does not exist.


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2008-01-21 10:23] - [2008-01-21 10:23] - 0104960 ____A () C515D79B2EF26CC77838375423C1BEE6

C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-09-19 00:48] - [2009-04-11 14:28] - 0000000 ____A ()

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 12th, 2012, 10:47 am

3. The Description (name) of the System Restore Points created in the past week:

Install: Windows update (the date is today, 20 mins ago when i switch on my comp).
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 12th, 2012, 10:53 am

Hihi mambass, :)

to clarify, i did see a "restore point successfully created" message back then when i created it at the start of the malware removal as per ur instructions.

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware